Enable Folder Auditing
This article explains how to enable Windows folder auditing.
This is required if you need to review auditing reports with Syskit Monitor.
By auditing the files and folders access you can report on user activities performed against selected files and folders.
Configuring Group Policy
There are two methods of applying group policy. Login on to your Domain Controller and check if you have Group Policy Management under Administrative Tools.
A) Configuring Group Policy for a domain WITHOUT Group Policy Management feature:
Login to you Domain Controller with an account that has Domain Administrator privileges.
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
On the View menu, click Advanced Features.
Right-click Domain Controllers, and then click Properties.
Click the Group Policy tab, click Default Domain Policy, and then click Edit.
Click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
In the right pane, right-click Audit Object Access, and then click Properties.
Click Define These Policy Settings, and then click to select Success. Click OK.
The changes you made will only take effect when the policy setting is propagated or applied to your computer. Complete either of the following steps to initiate policy propagation right now:
Type gpupdate /force at the command prompt of a server and then press ENTER. The policy will be updated.
Wait for automatic policy propagation that occurs at regular intervals that you can configure. By default, policy propagation occurs every five minutes.
B) Configuring Group Policy for a domain WITH Group Policy Management feature:
Login to you Domain Controller with an account that has Domain Administrator privileges.
Click Start, point to Programs, point to Administrative Tools, and then click Group policy management.
Click Default Domain Policy, and then click Edit (in case you have a special policy only for terminal servers select that policy.
Click Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
In the right pane, right-click Audit Object Access, and then click Properties.
Click Define These Policy Settings, and then click to select Success. Click OK.
The changes you made will only take effect when the policy setting is propagated or applied to your computer. Complete either of the following steps to initiate policy propagation right now:
Type gpupdate /force at the command prompt of a server and then press ENTER. The policy will be updated.
Wait for automatic policy propagation that occurs at regular intervals that you can configure. By default, policy propagation occurs every five minutes.
After group policy configuration we are going to configure certain folders for auditing:
Login to you server and right click the folder you want to enable auditing for and click Properties.
Choose the Security tab and for special permissions or advanced settings, click Advanced.
The Advanced Security Settings dialog for the selected folder will open. First choose on the Auditing tab and then click the Edit... button.
In the Auditing tab, click the Add button.
In the Auditing Entry dialog for the selected folder, click the Select a principal link to enter all users/groups whose operations you want to audit. If you want to audit all users in your domain type in “Domain Users”. Click OK.
Under the Basic permissions part, click the Show advanced permissions link and select the operations you want to track. We recommend that you select the minimal set of operations. Auditing is a resource consuming operation so you should select just a few operations you want to track here. We recommend to select the following:
List folder / read data
Create files / write data
Create folders / append data
Delete
If there is a folder structure below the selected folder, make sure you have enabled the Replace all child object auditing entries with inheritable auditing entries from this object option in the Advanced Security Settings dialog.
Configuring Syskit Monitor
You need to enable collection of event log data under File > Manage > System Jobs and you are good to go. Syskit Monitor will start to collect audit information from the Event Log on a regular basis.
See the Extract Event Log article for more detailed information.
Last updated