- Thread Author
- #1
Hello,
I hope someone can help with this issue. I have a requirement to configure file system logging on my windows file server and I have setup the security policy to track file system object access but I am not getting Event ID 4663 (An attempt was made to access an object). These are the steps I took to get to where I am.
I set the security policy
---- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
---- Enabled Audit Object Access with both Success and Failure
---- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policy -> Object Access
---- Enabled Audit File Share with both Success and Failure
---- Enabled Audit File System with both Success and Failure
---- Enabled Audit Handle Manipulation with both Success and Failure
I applied the policy to the Server
I went to the specific folder in file explorer
---- Went to security tab and clicked Advanced, then to Auditing Tab and clicked Add.
---- I selected the principal of Everyone, selected Type: All, Applies to: This Folder, Subfolders and files, and selected Full control to monitor all events for the folder and clicked OK.
---- I waited until the next day to create a file and edit it in that folder, but event id 4663 did not show up in the Event Viewer.
---- I rebooted the server and relogged in, in hopes that it would apply the policy and waited another day to test it and still no event.
---- I also ran gpupdate /force from an administrative command prompt, that did not help either.
Does anyone have any suggestions regarding this issue?
Thanks in advance.
I hope someone can help with this issue. I have a requirement to configure file system logging on my windows file server and I have setup the security policy to track file system object access but I am not getting Event ID 4663 (An attempt was made to access an object). These are the steps I took to get to where I am.
I set the security policy
---- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
---- Enabled Audit Object Access with both Success and Failure
---- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policy -> Object Access
---- Enabled Audit File Share with both Success and Failure
---- Enabled Audit File System with both Success and Failure
---- Enabled Audit Handle Manipulation with both Success and Failure
I applied the policy to the Server
I went to the specific folder in file explorer
---- Went to security tab and clicked Advanced, then to Auditing Tab and clicked Add.
---- I selected the principal of Everyone, selected Type: All, Applies to: This Folder, Subfolders and files, and selected Full control to monitor all events for the folder and clicked OK.
---- I waited until the next day to create a file and edit it in that folder, but event id 4663 did not show up in the Event Viewer.
---- I rebooted the server and relogged in, in hopes that it would apply the policy and waited another day to test it and still no event.
---- I also ran gpupdate /force from an administrative command prompt, that did not help either.
Does anyone have any suggestions regarding this issue?
Thanks in advance.