I've enabled audit logging for the company I work for and its not working
how I'd like it to. I've enabled 'audit object access' in AD and turned on
file access; however it also is giving several false positives. Here is an
example from my event viwer.
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 17/08/2007
Time: 9:18:43 AM
User: DOMAIN\grav
Computer: BL2WIN3FPS
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Treasury Data\Common\Parking\TOW LIST.xls
Handle ID: -
Operation ID: {0,805667365}
Process ID: 4
Image File Name:
Primary User Name: BL2WIN3FPS$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: grvy
Client Domain: DOMAIN
Client Logon ID: (0x0,0x2FC3521A)
Accesses: DELETE
READ_CONTROL
ACCESS_SYS_SEC
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x1030089
I have checked serveral files and users can access the files that its
logging in my event viewer.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
My File print server is 2003 sp2 all updates applied. I only want to audit
unsuccesful file access attempts.
--
Colin Craig
MCSE, MCSA, A+