- Thread Author
- #1
Hello,
I hope someone can help with this issue. I have a requirement to configure file system logging on my windows file server and I have setup the security policy to track file system object access but I am not getting Event ID 4663 (An attempt was made to access an object). These are the steps I took to get to where I am.
I set the security policy
---- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
---- Enabled Audit Object Access with both Success and Failure
---- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policy -> Object Access
---- Enabled Audit File Share with both Success and Failure
---- Enabled Audit File System with both Success and Failure
---- Enabled Audit Handle Manipulation with both Success and Failure
I applied the policy to the Server
I went to the specific folder in file explorer
---- Went to security tab and clicked Advanced, then to Auditing Tab and clicked Add.
---- I selected the principal of Everyone, selected Type: All, Applies to: This Folder, Subfolders and files, and selected Full control to monitor all events for the folder and clicked OK.
---- I waited until the next day to create a file and edit it in that folder, but event id 4663 did not show up in the Event Viewer.
---- I rebooted the server and relogged in, in hopes that it would apply the policy and waited another day to test it and still no event.
---- I also ran gpupdate /force from an administrative command prompt, that did not help either.
Does anyone have any suggestions regarding this issue?
Thanks in advance.
I hope someone can help with this issue. I have a requirement to configure file system logging on my windows file server and I have setup the security policy to track file system object access but I am not getting Event ID 4663 (An attempt was made to access an object). These are the steps I took to get to where I am.
I set the security policy
---- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
---- Enabled Audit Object Access with both Success and Failure
---- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policy -> Object Access
---- Enabled Audit File Share with both Success and Failure
---- Enabled Audit File System with both Success and Failure
---- Enabled Audit Handle Manipulation with both Success and Failure
I applied the policy to the Server
I went to the specific folder in file explorer
---- Went to security tab and clicked Advanced, then to Auditing Tab and clicked Add.
---- I selected the principal of Everyone, selected Type: All, Applies to: This Folder, Subfolders and files, and selected Full control to monitor all events for the folder and clicked OK.
---- I waited until the next day to create a file and edit it in that folder, but event id 4663 did not show up in the Event Viewer.
---- I rebooted the server and relogged in, in hopes that it would apply the policy and waited another day to test it and still no event.
---- I also ran gpupdate /force from an administrative command prompt, that did not help either.
Does anyone have any suggestions regarding this issue?
Thanks in advance.
- Joined
- Mar 14, 2023
- Messages
- 38,650
It looks like you're experiencing issues with Event ID 4663 not appearing in the Windows Event Viewer despite following the correct configuration steps for file system auditing. Here's a breakdown of potential reasons and troubleshooting steps you might consider:
1. Recheck Group Policy Application:
Ensure that the Group Policy settings are applied correctly on the server. You can use the
2. Event Logging Configuration:
Make sure that the Event Log service is running on your server. If the Event Log service is stopped or disabled, it could prevent logs from being recorded.
3. Folder Permissions:
Verify that the permissions on the folder allow auditing. Sometimes, if the permissions are too restrictive, the audit logs might not record properly. Ensure that the user or group you are testing with has sufficient privileges to generate the event.
4. Check Audit Logs:
Look into the Windows Security Logs (in Event Viewer under Windows Logs -> Security) to see if there are other events related to object access. Sometimes related events can give you clues on what's happening.
5. Specific Auditing for Objects:
Since you're interested in Event ID 4663 (access attempts), double-check that the specific objects (files/folders) you are testing with are indeed covered under the auditing configurations.
6. Test with Different Objects:
Try applying auditing on a different folder or file to see if it's a problem with the specific folder being tested.
7. Firewall or Security Software:
Check if there are any firewall rules or security software that might be blocking access to the Event Log or interfering with the logging mechanisms.
8. Windows Updates:
Ensure your server is up to date with the latest Windows updates. Sometimes bugs in the auditing system can be resolved with updates.
If these steps don’t resolve the issue, consider checking the Windows support documentation or reaching out to Microsoft support for more specialized assistance.
Let me know if you need more detailed instructions on any of these steps or if you encounter any specific error messages along the way!
1. Recheck Group Policy Application:
Ensure that the Group Policy settings are applied correctly on the server. You can use the
gpresult /h report.html command in the Command Prompt to generate a report and verify that your audit policies are being applied.2. Event Logging Configuration:
Make sure that the Event Log service is running on your server. If the Event Log service is stopped or disabled, it could prevent logs from being recorded.
3. Folder Permissions:
Verify that the permissions on the folder allow auditing. Sometimes, if the permissions are too restrictive, the audit logs might not record properly. Ensure that the user or group you are testing with has sufficient privileges to generate the event.
4. Check Audit Logs:
Look into the Windows Security Logs (in Event Viewer under Windows Logs -> Security) to see if there are other events related to object access. Sometimes related events can give you clues on what's happening.
5. Specific Auditing for Objects:
Since you're interested in Event ID 4663 (access attempts), double-check that the specific objects (files/folders) you are testing with are indeed covered under the auditing configurations.
6. Test with Different Objects:
Try applying auditing on a different folder or file to see if it's a problem with the specific folder being tested.
7. Firewall or Security Software:
Check if there are any firewall rules or security software that might be blocking access to the Event Log or interfering with the logging mechanisms.
8. Windows Updates:
Ensure your server is up to date with the latest Windows updates. Sometimes bugs in the auditing system can be resolved with updates.
If these steps don’t resolve the issue, consider checking the Windows support documentation or reaching out to Microsoft support for more specialized assistance.
Let me know if you need more detailed instructions on any of these steps or if you encounter any specific error messages along the way!
