+ Reply to Thread
Results 1 to 7 of 7

Thread: Log file access

  1. Junior Member
    Join Date
    Dec 2004
    Posts
    21

    Certifications
    A+, CCNA
    #1

    Default Log file access

    I was wondering..is there a way to log all access to a folder or file? I know how to set NTFS permissions but a RL situation has come up at the office where we need to be able to prove when a certain person has accessed a file. Thanks for any info on this.
    Reply With Quote Quote  

  2. SS -->
  3. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #2
    In short, go into group policy, enable success/failure for Audit Object Access. Now go onto the file server/workstation that has the files, run gpupdate /forrce, then go into security permissions > click advanced, enable auditing for the file(s)/folder(s) you want to audit, and choose full control for the user(s)/group(s) you want to audit. This will now log attempts to the event viewer.


    Here's a doc that explains the process. You could do this via AD Group Policy, or the local policy on the file server.

    http://www.gregthatcher.com/Papers/IT/audit.aspx

    For the last picture, I would enable the Everyone Group Full Control for all Successful and Failure attempts on the files and folders. This should not be enabled indefinitely as it takes a toll on performance.
    Reply With Quote Quote  

  4. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #3
    Quote Originally Posted by icroyal
    For the last picture, I would enable the Everyone Group Full Control for all Successful and Failure attempts on the files and folders. This should not be enabled indefinitely as it takes a toll on performance.
    Have you ever seen this done in real life on a production server? I have and it ain't pretty. Specify who you want to audit, or limit the auditing to a single share with limited access only.

    I actually saw a newly minted MCSE do this to "protect" his server. The server choked, siezed, puked, and after it completely locked up he had to do a hard shutdown. The power up process took over 45 minutes while "system" (a member of the everyone group) accessed startup files. At some point I had mercy on him and connected to group policy remotely on the computer (while he was wringing his hands trying not to look too stupid) and turned off his auditing so he could finally log in to the console.
    Reply With Quote Quote  

  5. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #4
    Oh, and if you enable this kind of auditing, make sure you set your event logs maximum size to handle the events without overwriting or shutting down the system when they are full.
    Reply With Quote Quote  

  6. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #5
    No, I haven't seen it done. I also agree with you that it should be limited to a user or small group of users. In my first paragraph, I stated to add user(s)/group(s) to it instead of Everyone Group. I made a mistake in saying to add the Everyone group since he wanted to audit a specific user.
    Reply With Quote Quote  

  7. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #6
    Quote Originally Posted by icroyal
    No, I haven't seen it done. I also agree with you that it should be limited to a user or small group of users. In my first paragraph, I stated to add user(s)/group(s) to it instead of Everyone Group. I made a mistake in saying to add the Everyone group since he wanted to audit a specific user.
    I just had to pick on you at least once, since in your more than 500 other posts I haven't found anything else to pick on.
    Reply With Quote Quote  

  8. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #7
    Quote Originally Posted by sprkymrk
    Quote Originally Posted by icroyal
    No, I haven't seen it done. I also agree with you that it should be limited to a user or small group of users. In my first paragraph, I stated to add user(s)/group(s) to it instead of Everyone Group. I made a mistake in saying to add the Everyone group since he wanted to audit a specific user.
    I just had to pick on you at least once, since in your more than 500 other posts I haven't found anything else to pick on.
    You bully!
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks