How to configure granular audit policy on a file server

granular audit object access handle manipulation file system
Email It to Me Print this Page
Question How to configure granular audit policy on a file server (Windows Vista or later)?
Answer In Windows Server 2008 R2, Server 2012 and Windows 7, granular audit policies are integrated with the Group Policies, so they can be applied via a Group Policy Object (GPO) or Local Security Policies.

A. Applying Granular Audit Policies via Local Policies

To apply granular audit policies via Local Policies, perform the following:
1. On a monitored file server, open the Local Security Policy snap-in (navigate to Start->Run and type ‘secpol.msc’).
2. Navigate to Security Settings -> Local Policies -> Security Options and locate the Audit: Force audit policy subcategory settings (Windows Vista or later) policy:
Figure 1: Local Security Policy Snap-In
User-added image

3. Double-click this policy and select the Enabled option in the dialog that opens:
Figure 2: Local Security Setting
User-added image

 
4. Navigate to Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access and enable the following subcategories: Audit File System and Audit Handle Manipulation.
To do this, double click a subcategory, select the Configure the following audit events: option and select the Success and/or Failure checkboxes depending on the type of events you want to track:
Figure 3: Audit File System Properties
User-added image
 
5. Update your Group Policies by executing the gpupdate /force command in the command line interface.
Note: You can check your current effective settings by executing the following command:
auditpol /get /category:"Object Access"


B. Applying Granular Audit Policies via Group Policies

In order to apply a granular audit policy configuration via a Group Policy Object (GPO), you must have a Windows Server 2008 R2 domain controller or member server with the Group Policy Management Console installed. For instructions on how to do this, refer to the following technical article by Microsoft: Advanced Security Audit Policy Step-by-Step Guide

Note: The current version of File Server Change reporter ignores granular auit policy settings, as a result of which you will be getting warning messages if the audit policy subcategory configuration is applied (these warning messages do not affect the product functionality). Future product versions will be able to detect if granular audit policies are applied and to verify these settings.

For more information refer to the following technical article: How to Configure Granular Audit Policy on a File Server monitored by NetWrix File Server Change Reporter.
Was this information helpful?