OK. I though you had already enabled auditing on folders you wanted to
track. Be sure to audit the bare amount of permissions necessary to
accomplish what you want to do in order to minimize the amount of object
access events recorded. --- Steve
"JOHN MCCARTHY" <JOHNMCCARTHY@discussions.microsoft.com> wrote in message
news
59503FA-91B2-476E-A9BD-D7935824D0A4@microsoft.com...
> Steve,
>
> I managed to find the answer from Microsoft Knowldge base. Basically
> right
> click on the serve folder, select the Security TAB and on the bottom right
> corner select Advanced then select the Auditing TAB and find or select the
> user (I selected Authenticated Users). After performing the afore
> mentioned
> users accessing the folders and or files were audited as having accessed
> the
> object.
>
> "Steven L Umbach" wrote:
>
>> You should see the folder being accessed. Try looking for Event ID 560.
>> Below is an example from my computer. Note the object name field is the
>> name
>> of the file being accessed. --- Steve
>>
>> Event Type: Success Audit
>> Event Source: Security
>> Event Category: Object Access
>> Event ID: 560
>> Date: 1/3/2006
>> Time: 11:33:46 PM
>> User: STEVE-XP\Steve
>> Computer: STEVE-XP
>> Description:
>> Object Open:
>> Object Server: Security
>> Object Type: File
>> Object Name: D:\Drivers\SonyUSB\sonyhcusb2k.inf <<<<<<<<<<<<<<<<<<<
>> Handle ID: 120
>> Operation ID: {0,3472111}
>> Process ID: 3580
>> Image File Name: D:\WINDOWS\system32\notepad.exe
>> Primary User Name: Steve
>> Primary Domain: STEVE-XP
>> Primary Logon ID: (0x0,0x1BBD4)
>> Client User Name: -
>> Client Domain: -
>> Client Logon ID: -
>> Accesses: READ_CONTROL
>> SYNCHRONIZE
>> ReadData (or ListDirectory)
>> ReadEA
>> ReadAttributes
>>
>> Privileges: -
>> Restricted Sid Count: 0
>>
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>>
>> "JOHN MCCARTHY" <JOHNMCCARTHY@discussions.microsoft.com> wrote in message
>> news:AF92382B-DAB8-4DD8-ADDD-F522395F4668@microsoft.com...
>> > Help please. When I look at my Server Security Event Logs, for Object
>> > Access, the logs do not reflect the directory or UNC for files or
>> > folders
>> > for
>> > which users access, modify, create, delete etc.
>> >
>> > On the Domain Security Logs and Domain Controller Security Logs for the
>> > Server 2003 Server I have object access checked to audit the failure
>> > and
>> > success of such object accessed, checked.
>> >
>> > Take care,
>> > John
>>
>>
>>