Help please. When I look at my Server Security Event Logs, for Object
Access, the logs do not reflect the directory or UNC for files or folders for
which users access, modify, create, delete etc.

On the Domain Security Logs and Domain Controller Security Logs for the
Server 2003 Server I have object access checked to audit the failure and
success of such object accessed, checked.

Take care,
John

You should see the folder being accessed. Try looking for Event ID 560.
Below is an example from my computer. Note the object name field is the name
of the file being accessed. --- Steve

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 1/3/2006
Time: 11:33:46 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Drivers\SonyUSB\sonyhcusb2k.inf <<<<<<<<<<<<<<<<<<<
Handle ID: 120
Operation ID: {0,3472111}
Process ID: 3580
Image File Name: D:\WINDOWS\system32\notepad.exe
Primary User Name: Steve
Primary Domain: STEVE-XP
Primary Logon ID: (0x0,0x1BBD4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes

Privileges: -
Restricted Sid Count: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


"JOHN MCCARTHY" <JOHNMCCARTHY@discussions.microsoft.com> wrote in message
news:AF92382B-DAB8-4DD8-ADDD-F522395F4668@microsoft.com...
> Help please. When I look at my Server Security Event Logs, for Object
> Access, the logs do not reflect the directory or UNC for files or folders
> for
> which users access, modify, create, delete etc.
>
> On the Domain Security Logs and Domain Controller Security Logs for the
> Server 2003 Server I have object access checked to audit the failure and
> success of such object accessed, checked.
>
> Take care,
> John

Steve,

I managed to find the answer from Microsoft Knowldge base. Basically right
click on the serve folder, select the Security TAB and on the bottom right
corner select Advanced then select the Auditing TAB and find or select the
user (I selected Authenticated Users). After performing the afore mentioned
users accessing the folders and or files were audited as having accessed the
object.

"Steven L Umbach" wrote:

> You should see the folder being accessed. Try looking for Event ID 560.
> Below is an example from my computer. Note the object name field is the name
> of the file being accessed. --- Steve
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 1/3/2006
> Time: 11:33:46 PM
> User: STEVE-XP\Steve
> Computer: STEVE-XP
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: D:\Drivers\SonyUSB\sonyhcusb2k.inf <<<<<<<<<<<<<<<<<<<
> Handle ID: 120
> Operation ID: {0,3472111}
> Process ID: 3580
> Image File Name: D:\WINDOWS\system32\notepad.exe
> Primary User Name: Steve
> Primary Domain: STEVE-XP
> Primary Logon ID: (0x0,0x1BBD4)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses: READ_CONTROL
> SYNCHRONIZE
> ReadData (or ListDirectory)
> ReadEA
> ReadAttributes
>
> Privileges: -
> Restricted Sid Count: 0
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> "JOHN MCCARTHY" <JOHNMCCARTHY@discussions.microsoft.com> wrote in message
> news:AF92382B-DAB8-4DD8-ADDD-F522395F4668@microsoft.com...
> > Help please. When I look at my Server Security Event Logs, for Object
> > Access, the logs do not reflect the directory or UNC for files or folders
> > for
> > which users access, modify, create, delete etc.
> >
> > On the Domain Security Logs and Domain Controller Security Logs for the
> > Server 2003 Server I have object access checked to audit the failure and
> > success of such object accessed, checked.
> >
> > Take care,
> > John
>
>
>

OK. I though you had already enabled auditing on folders you wanted to
track. Be sure to audit the bare amount of permissions necessary to
accomplish what you want to do in order to minimize the amount of object
access events recorded. --- Steve


"JOHN MCCARTHY" <JOHNMCCARTHY@discussions.microsoft.com> wrote in message
news59503FA-91B2-476E-A9BD-D7935824D0A4@microsoft.com...
> Steve,
>
> I managed to find the answer from Microsoft Knowldge base. Basically
> right
> click on the serve folder, select the Security TAB and on the bottom right
> corner select Advanced then select the Auditing TAB and find or select the
> user (I selected Authenticated Users). After performing the afore
> mentioned
> users accessing the folders and or files were audited as having accessed
> the
> object.
>
> "Steven L Umbach" wrote:
>
>> You should see the folder being accessed. Try looking for Event ID 560.
>> Below is an example from my computer. Note the object name field is the
>> name
>> of the file being accessed. --- Steve
>>
>> Event Type: Success Audit
>> Event Source: Security
>> Event Category: Object Access
>> Event ID: 560
>> Date: 1/3/2006
>> Time: 11:33:46 PM
>> User: STEVE-XP\Steve
>> Computer: STEVE-XP
>> Description:
>> Object Open:
>> Object Server: Security
>> Object Type: File
>> Object Name: D:\Drivers\SonyUSB\sonyhcusb2k.inf <<<<<<<<<<<<<<<<<<<
>> Handle ID: 120
>> Operation ID: {0,3472111}
>> Process ID: 3580
>> Image File Name: D:\WINDOWS\system32\notepad.exe
>> Primary User Name: Steve
>> Primary Domain: STEVE-XP
>> Primary Logon ID: (0x0,0x1BBD4)
>> Client User Name: -
>> Client Domain: -
>> Client Logon ID: -
>> Accesses: READ_CONTROL
>> SYNCHRONIZE
>> ReadData (or ListDirectory)
>> ReadEA
>> ReadAttributes
>>
>> Privileges: -
>> Restricted Sid Count: 0
>>
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>>
>> "JOHN MCCARTHY" <JOHNMCCARTHY@discussions.microsoft.com> wrote in message
>> news:AF92382B-DAB8-4DD8-ADDD-F522395F4668@microsoft.com...
>> > Help please. When I look at my Server Security Event Logs, for Object
>> > Access, the logs do not reflect the directory or UNC for files or
>> > folders
>> > for
>> > which users access, modify, create, delete etc.
>> >
>> > On the Domain Security Logs and Domain Controller Security Logs for the
>> > Server 2003 Server I have object access checked to audit the failure
>> > and
>> > success of such object accessed, checked.
>> >
>> > Take care,
>> > John
>>
>>
>>