Question : NTFS Permissions Auditing problems

Hello,

I'm trying to setup a very specific auditing policy on out file server. I'd like to be able to audit when people make NTFS permission changes to files or folders, as well as when someone takes ownership. I would not like to audit anything other than these two things, and i don't want to log to fill up.

Here's what I've done so far without being able to get the results I'm looking for:

I've edited the group policy "Default Domain Controllers Policy"  Computer Configuration > Policies > Security Settings > Local Policies > Audit Policy > Audit Object Access: I've set it to audit Success but NOT Failure. The reason I've done this is that I only want to see when someone has changed permissions or ownership, not when they've been denied.

On the Root folder that contains the files and folders I'd like to audit I've performed the following:

Right Clicked > Properties > Security Tab > Advanced Button> Auditing Tab > Edit... Button > Add Button... > I entered "Domain Users" and clicked OK > I Selected from the Successful column "Change Permissions" and "Take Ownership" and then clicked OK > I Selected the box titled "Replace all existing inheritable audting entries on all decendants with inheritable auditing entries from this object" and then clicked Apply, and finally clicked OK.

Now I make permissions changes to files, and I do not see anything in the security log saying that i've done so. Also I'm not seeing a ton of other entries related to file and process access, that i do not want to see.

Anyone have any ideas?

Answer : NTFS Permissions Auditing problems

Hhm .. unfortunately the audit log entries doesn't allow much granular customization in terms of the fine detail as what to log (I have tried), but the most simple and fast way is to set a filter on the security logs (i.e.  Only display certian Event ID), or use network monitoring software to filter out all those unwanted logs.

If space is going to be a major concern for you (see the logs will definitely grow faster than before), than I will definitely use a network monitoring software to remote offload the logs to somewhere else with LARGE datastorage, and keep a LIMIT on the servers' security log size.  

This will prevent any sudden LARGE GROWTH of the logs and crash your server.

Hope this helps.