Discussion:
unable to enable "success" option of "Audit object access" under L
(too old to reply)
Terence
2005-03-31 08:25:06 UTC
Permalink
I have a Windows 2003 Server which is a member server of corporate AD. I
want to turn on any access (no matter it is success or failed access) to a
specific parent including its subfolders and files. I go to Administrative
Tools -> Local Security Settings -> Local Policies -> Audit Policy -> Audit
Object Access.

The check-box of "Success" and "Failure" are disabled. The check-box
"Failure" is checked, whereas, the check-box "Success" is unchecked. I can't
make any modification to them.

Any ideas on how to enable the "Success" access?

Is "Audit object access" the right option to audit folder and files access
to the server?
Paul Adare
2005-03-31 08:30:55 UTC
Permalink
In article <3D538009-BBBB-47B2-AF5A-***@microsoft.com>, in the
microsoft.public.windows.server.security news group, =?Utf-8?B?
Post by Terence
I have a Windows 2003 Server which is a member server of corporate AD. I
want to turn on any access (no matter it is success or failed access) to a
specific parent including its subfolders and files. I go to Administrative
Tools -> Local Security Settings -> Local Policies -> Audit Policy -> Audit
Object Access.
The check-box of "Success" and "Failure" are disabled. The check-box
"Failure" is checked, whereas, the check-box "Success" is unchecked. I can't
make any modification to them.
Any ideas on how to enable the "Success" access?
The server is getting audit policy from a GPO in Active Directory
somewhere. You'll need to talk to whomever controls that GPO.
Post by Terence
Is "Audit object access" the right option to audit folder and files access
to the server?
Yes.
--
Paul Adare
http://www.identit.ca/blogs/paul/
Scientists were excited this week at having isolated a brief sound which
occurred immediately before the Big Bang.
Apparently, the sound was, "uh oh".
Terence
2005-04-01 03:35:05 UTC
Permalink
Thanks. I have asked my AD administrator to define "Success" for my server
and I run the gpupdate to refresh the audit policy. Now, I have "Success" in
place for the "Audit object access".

I turn on the auditing of d:\cfs folder including sub-folders and files.
However, besides the successful access to any subfolders and files under
d:\cfs of the Windows 2003 server is logged, I also find quite a lot of
events (event id: 560 & 562) logged in Security log of event viewer. I have
read the explanation from http://go.microsoft.com/fwlink/events.asp.

Is it possible to stop logging event id: 560 & 562 into the event view as it
may consume the SECURITY log very soon?

If no, is there another way to audit success access to files and sub-folders
of a specific folder without generating too many events logging?
Post by Paul Adare
microsoft.public.windows.server.security news group, =?Utf-8?B?
Post by Terence
I have a Windows 2003 Server which is a member server of corporate AD. I
want to turn on any access (no matter it is success or failed access) to a
specific parent including its subfolders and files. I go to Administrative
Tools -> Local Security Settings -> Local Policies -> Audit Policy -> Audit
Object Access.
The check-box of "Success" and "Failure" are disabled. The check-box
"Failure" is checked, whereas, the check-box "Success" is unchecked. I can't
make any modification to them.
Any ideas on how to enable the "Success" access?
The server is getting audit policy from a GPO in Active Directory
somewhere. You'll need to talk to whomever controls that GPO.
Post by Terence
Is "Audit object access" the right option to audit folder and files access
to the server?
Yes.
--
Paul Adare
http://www.identit.ca/blogs/paul/
Scientists were excited this week at having isolated a brief sound which
occurred immediately before the Big Bang.
Apparently, the sound was, "uh oh".
Steven L Umbach
2005-04-01 22:13:11 UTC
Permalink
As long as auditing of global objects is disabled in effective security
policy [it is by default] there is nothing you can do except to audit only
those folders and files that you need to for the lease amount of necessary
permissions for the least amount of users/groups. For instance if you only
need to know who is writing or deleting files then audit just those
permissions. You will find that Event Comb will be helpful in tracking down
specific events including using text search strings for things like delete,
user name, or file name. Event Comb is available at the link below. ---
Steve


http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
Post by Terence
Thanks. I have asked my AD administrator to define "Success" for my server
and I run the gpupdate to refresh the audit policy. Now, I have "Success" in
place for the "Audit object access".
I turn on the auditing of d:\cfs folder including sub-folders and files.
However, besides the successful access to any subfolders and files under
d:\cfs of the Windows 2003 server is logged, I also find quite a lot of
events (event id: 560 & 562) logged in Security log of event viewer. I have
read the explanation from http://go.microsoft.com/fwlink/events.asp.
Is it possible to stop logging event id: 560 & 562 into the event view as it
may consume the SECURITY log very soon?
If no, is there another way to audit success access to files and sub-folders
of a specific folder without generating too many events logging?
Post by Paul Adare
microsoft.public.windows.server.security news group, =?Utf-8?B?
Post by Terence
I have a Windows 2003 Server which is a member server of corporate AD.
I
want to turn on any access (no matter it is success or failed access) to a
specific parent including its subfolders and files. I go to Administrative
Tools -> Local Security Settings -> Local Policies -> Audit Policy -> Audit
Object Access.
The check-box of "Success" and "Failure" are disabled. The check-box
"Failure" is checked, whereas, the check-box "Success" is unchecked. I can't
make any modification to them.
Any ideas on how to enable the "Success" access?
The server is getting audit policy from a GPO in Active Directory
somewhere. You'll need to talk to whomever controls that GPO.
Post by Terence
Is "Audit object access" the right option to audit folder and files access
to the server?
Yes.
--
Paul Adare
http://www.identit.ca/blogs/paul/
Scientists were excited this week at having isolated a brief sound which
occurred immediately before the Big Bang.
Apparently, the sound was, "uh oh".
Terence
2005-04-06 02:33:02 UTC
Permalink
I have downloaded the ALTools and tried event comb.exe, following
EventCombMT.txt was generated. It seems that the failure is caused by
"access is denied". HQSCFS01 is one of the member server of AD.

==============================
Finding all events reguardless of date or time.
Searching Security Logs
No Event IDs specified.
Event Text: D:\CFS
No Event Source specified.
No Between Event IDs specified.
Will Search the following servers:
hqscfs01
To find these events we'll need a search running. It has already begun....

Spawning Thread for: hqscfs01
Thread Running for: hqscfs01
All threads Scheduled to run are running.
Security Log on hqscfs01 was not available. GetLastError was 5. Error text
was: Access is denied.
Security Log on hqscfs01 not available. GetLastError was 131. Error text
was: Access is denied.
Exiting thread for: hqscfs01
Total events searched: 0
Total matches found: 0
Servers/Logs Searched: 1
DLL Cache Contained: 0
SID Cache Contained: 0
Start time: Wed Apr 06 10:23:38 2005
Finish time: Wed Apr 06 10:23:38 2005
True records per second: 0.00
==============================

Any ideas to resolve this issue.
Post by Steven L Umbach
As long as auditing of global objects is disabled in effective security
policy [it is by default] there is nothing you can do except to audit only
those folders and files that you need to for the lease amount of necessary
permissions for the least amount of users/groups. For instance if you only
need to know who is writing or deleting files then audit just those
permissions. You will find that Event Comb will be helpful in tracking down
specific events including using text search strings for things like delete,
user name, or file name. Event Comb is available at the link below. ---
Steve
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
Post by Terence
Thanks. I have asked my AD administrator to define "Success" for my server
and I run the gpupdate to refresh the audit policy. Now, I have "Success" in
place for the "Audit object access".
I turn on the auditing of d:\cfs folder including sub-folders and files.
However, besides the successful access to any subfolders and files under
d:\cfs of the Windows 2003 server is logged, I also find quite a lot of
events (event id: 560 & 562) logged in Security log of event viewer. I have
read the explanation from http://go.microsoft.com/fwlink/events.asp.
Is it possible to stop logging event id: 560 & 562 into the event view as it
may consume the SECURITY log very soon?
If no, is there another way to audit success access to files and sub-folders
of a specific folder without generating too many events logging?
Post by Paul Adare
microsoft.public.windows.server.security news group, =?Utf-8?B?
Post by Terence
I have a Windows 2003 Server which is a member server of corporate AD.
I
want to turn on any access (no matter it is success or failed access) to a
specific parent including its subfolders and files. I go to Administrative
Tools -> Local Security Settings -> Local Policies -> Audit Policy -> Audit
Object Access.
The check-box of "Success" and "Failure" are disabled. The check-box
"Failure" is checked, whereas, the check-box "Success" is unchecked. I can't
make any modification to them.
Any ideas on how to enable the "Success" access?
The server is getting audit policy from a GPO in Active Directory
somewhere. You'll need to talk to whomever controls that GPO.
Post by Terence
Is "Audit object access" the right option to audit folder and files access
to the server?
Yes.
--
Paul Adare
http://www.identit.ca/blogs/paul/
Scientists were excited this week at having isolated a brief sound which
occurred immediately before the Big Bang.
Apparently, the sound was, "uh oh".
Steven L Umbach
2005-04-07 00:35:12 UTC
Permalink
Are you an administrator on that server?? It looks like a permission or
privilege problem. Can you access that security log via Computer Management,
both locally and remotely?? --- Steve
Post by Terence
I have downloaded the ALTools and tried event comb.exe, following
EventCombMT.txt was generated. It seems that the failure is caused by
"access is denied". HQSCFS01 is one of the member server of AD.
==============================
Finding all events reguardless of date or time.
Searching Security Logs
No Event IDs specified.
Event Text: D:\CFS
No Event Source specified.
No Between Event IDs specified.
hqscfs01
To find these events we'll need a search running. It has already begun....
Spawning Thread for: hqscfs01
Thread Running for: hqscfs01
All threads Scheduled to run are running.
Security Log on hqscfs01 was not available. GetLastError was 5. Error text
was: Access is denied.
Security Log on hqscfs01 not available. GetLastError was 131. Error text
was: Access is denied.
Exiting thread for: hqscfs01
Total events searched: 0
Total matches found: 0
Servers/Logs Searched: 1
DLL Cache Contained: 0
SID Cache Contained: 0
Start time: Wed Apr 06 10:23:38 2005
Finish time: Wed Apr 06 10:23:38 2005
True records per second: 0.00
==============================
Any ideas to resolve this issue.
Post by Steven L Umbach
As long as auditing of global objects is disabled in effective security
policy [it is by default] there is nothing you can do except to audit only
those folders and files that you need to for the lease amount of necessary
permissions for the least amount of users/groups. For instance if you only
need to know who is writing or deleting files then audit just those
permissions. You will find that Event Comb will be helpful in tracking down
specific events including using text search strings for things like delete,
user name, or file name. Event Comb is available at the link below. ---
Steve
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
Post by Terence
Thanks. I have asked my AD administrator to define "Success" for my server
and I run the gpupdate to refresh the audit policy. Now, I have
"Success"
in
place for the "Audit object access".
I turn on the auditing of d:\cfs folder including sub-folders and files.
However, besides the successful access to any subfolders and files under
d:\cfs of the Windows 2003 server is logged, I also find quite a lot of
events (event id: 560 & 562) logged in Security log of event viewer. I have
read the explanation from http://go.microsoft.com/fwlink/events.asp.
Is it possible to stop logging event id: 560 & 562 into the event view
as
it
may consume the SECURITY log very soon?
If no, is there another way to audit success access to files and sub-folders
of a specific folder without generating too many events logging?
Post by Paul Adare
microsoft.public.windows.server.security news group, =?Utf-8?B?
Post by Terence
I have a Windows 2003 Server which is a member server of corporate AD.
I
want to turn on any access (no matter it is success or failed
access)
to a
specific parent including its subfolders and files. I go to Administrative
Tools -> Local Security Settings -> Local Policies -> Audit
Policy ->
Audit
Object Access.
The check-box of "Success" and "Failure" are disabled. The check-box
"Failure" is checked, whereas, the check-box "Success" is unchecked.
I
can't
make any modification to them.
Any ideas on how to enable the "Success" access?
The server is getting audit policy from a GPO in Active Directory
somewhere. You'll need to talk to whomever controls that GPO.
Post by Terence
Is "Audit object access" the right option to audit folder and files access
to the server?
Yes.
--
Paul Adare
http://www.identit.ca/blogs/paul/
Scientists were excited this week at having isolated a brief sound which
occurred immediately before the Big Bang.
Apparently, the sound was, "uh oh".
Terence
2005-04-07 02:51:02 UTC
Permalink
I ran event com.exe on server side by entering "d:\cfs" into the text field
of Event Com.exe (and select Security Log and "Success") and the result was
generated. After scanning via the output generated, I found that only the
path (directory) was logged in SECURITY log, no down to file level of READ,
WRITE, MODIFY, DELETE was logged.

In fact, I turned on following successfual Access audit at thte d:\cfs
directory level and include all sub-folders and child objects:

- List Folder/Read Data
- Create Files/Write Data
- Create Flders / Append Data
- Delet subfolders and files
- Delete
- Change Permissions
- Take Ownership

Is it normal not to log file name access into the SECURITY Log even after
you enable the auditing list above? If no, how can I enable audit logging of
file name accessed into SECURITY Log? I need the auditing detail down to file
name level.

Thanks.
Post by Terence
I have downloaded the ALTools and tried event comb.exe, following
EventCombMT.txt was generated. It seems that the failure is caused by
"access is denied". HQSCFS01 is one of the member server of AD.
==============================
Finding all events reguardless of date or time.
Searching Security Logs
No Event IDs specified.
Event Text: D:\CFS
No Event Source specified.
No Between Event IDs specified.
hqscfs01
To find these events we'll need a search running. It has already begun....
Spawning Thread for: hqscfs01
Thread Running for: hqscfs01
All threads Scheduled to run are running.
Security Log on hqscfs01 was not available. GetLastError was 5. Error text
was: Access is denied.
Security Log on hqscfs01 not available. GetLastError was 131. Error text
was: Access is denied.
Exiting thread for: hqscfs01
Total events searched: 0
Total matches found: 0
Servers/Logs Searched: 1
DLL Cache Contained: 0
SID Cache Contained: 0
Start time: Wed Apr 06 10:23:38 2005
Finish time: Wed Apr 06 10:23:38 2005
True records per second: 0.00
==============================
Any ideas to resolve this issue.
Post by Steven L Umbach
As long as auditing of global objects is disabled in effective security
policy [it is by default] there is nothing you can do except to audit only
those folders and files that you need to for the lease amount of necessary
permissions for the least amount of users/groups. For instance if you only
need to know who is writing or deleting files then audit just those
permissions. You will find that Event Comb will be helpful in tracking down
specific events including using text search strings for things like delete,
user name, or file name. Event Comb is available at the link below. ---
Steve
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
Post by Terence
Thanks. I have asked my AD administrator to define "Success" for my server
and I run the gpupdate to refresh the audit policy. Now, I have "Success" in
place for the "Audit object access".
I turn on the auditing of d:\cfs folder including sub-folders and files.
However, besides the successful access to any subfolders and files under
d:\cfs of the Windows 2003 server is logged, I also find quite a lot of
events (event id: 560 & 562) logged in Security log of event viewer. I have
read the explanation from http://go.microsoft.com/fwlink/events.asp.
Is it possible to stop logging event id: 560 & 562 into the event view as it
may consume the SECURITY log very soon?
If no, is there another way to audit success access to files and sub-folders
of a specific folder without generating too many events logging?
Post by Paul Adare
microsoft.public.windows.server.security news group, =?Utf-8?B?
Post by Terence
I have a Windows 2003 Server which is a member server of corporate AD.
I
want to turn on any access (no matter it is success or failed access) to a
specific parent including its subfolders and files. I go to Administrative
Tools -> Local Security Settings -> Local Policies -> Audit Policy -> Audit
Object Access.
The check-box of "Success" and "Failure" are disabled. The check-box
"Failure" is checked, whereas, the check-box "Success" is unchecked. I can't
make any modification to them.
Any ideas on how to enable the "Success" access?
The server is getting audit policy from a GPO in Active Directory
somewhere. You'll need to talk to whomever controls that GPO.
Post by Terence
Is "Audit object access" the right option to audit folder and files access
to the server?
Yes.
--
Paul Adare
http://www.identit.ca/blogs/paul/
Scientists were excited this week at having isolated a brief sound which
occurred immediately before the Big Bang.
Apparently, the sound was, "uh oh".
Continue reading on narkive:
Search results for 'unable to enable "success" option of "Audit object access" under L' (Questions and Answers)
3
replies
how many companies are there in india at present?
started 2006-08-20 11:32:55 UTC
business & finance
Loading...