Hi, this is Jeremy Moskowitz from GPanswers.com. Today we are going to talk about auditing, some myths and some facts. Let’s pretend we have a Share here called Share2. We have this file called secret.txt and if we open it up we know it is not really a secret. The idea is that you might want to figure out who is touching this file, who is manipulating it, who is maybe trying to read it, or edit it, or do other things to it.
Auditing is a really big deal. You want to make sure that your most important files are being audited in case of a hack attack, or somebody doing something they should not do, or lots of other reasons. What we are going to do is turn auditing on. Now here is the secret. The secret is that if you go to Properties here and you click on Security, and you look under Advanced, and you go to Auditing. A lot of people think auditing begins here. It does not really begin here at all, it begins somewhere else. It kind of ends here.
Let’s go ahead and Add in and Edit this. What we are going to do is Add in the people who we are looking for. So maybe we are looking for Sally, eastsalesuser1, what are they doing to this file. Maybe we are looking for a group that someone is in, like Backup Operators. Maybe we want to know what they are doing. Or we could also look for what maybe everyone, or Authenticated Users is doing. The point of the story is you are laying down what I like to call flypaper for a particular user or a group that the person is in on the computer. Either Sally, or the sales group, or everyone, authenticated users.
You can turn on various attributes. Like, what happens when somebody reads the attributes of a file, which actually includes read access because there is no way to actually read the file without read attributes? Or maybe they tried to change the permissions on it and they were successful on that. Or they failed. They tried to write some stuff, but they did not have access so they failed doing that. Long story short, you can set the permissions that you want to here, that you want to audit for.
When you click OK, and OK, and OK, and OK, once you have done that you actually really have not done anything yet. Especially if you are on a server or a workstation machine. What you really need to do from a Group Policy perspective. Let’s pretend that was on a server somewhere. Let’s say it was on my East Sales Servers. You really need to turn on auditing. So, we will turn on auditing here. What I am trying to drive at is that auditing is not officially turned on on your servers or workstations unless you really turn auditing on. On the computer side, Policies/Window Settings/Security Settings/Local/Audit Policy, and when you are looking for the various auditing types. Now files happen to live under the heading Audit object access and I just happen to know that one.
Long story short, I am going to turn these guys on, click OK. Now auditing is officially enabled. At this point I would be able to go touch the file, look in the auditing event logs and see who has actually touched the file and done what, based on my specifications. Those are some myths and facts behind auditing. I hope that helps you out. For more information on this topic or any other topic about Group Policy especially, training, or other kinds of assistance I am here to help you at GPanswers.com. Thank you very much and I will talk to you soon.