V
V1nc3
Situation
-----------
1 fileserver (FS01)
1 Domain controller (DC01)
On the domain controller:
Created GPO "EU Object Auditing" which audits for both success and failures.
The GPO was linked to OU "servers".
Inside this OU there is Fileserver FS01
On the file server:
Checked auditing for both success and failure for "everyone".
These settings are inherited by the subfolders.
Executed: GPUPDATE /FORCE /BOOT /LOGOFF and restarted the file server.
Verified the GPO to have been applied successfully by GPRESULT /R
Problem:
----------
We tried checking the event viewer for several days now by filtering on IDs 4656 and 4663 but no entries at all are found.
It seems the server is not logging/auditing any object access.
The process appears so simple yet we verified every step over and over again and still the server is not logging.
Any tips/tricks or assistance is appreciated.
Continue reading...
-----------
1 fileserver (FS01)
1 Domain controller (DC01)
On the domain controller:
Created GPO "EU Object Auditing" which audits for both success and failures.
The GPO was linked to OU "servers".
Inside this OU there is Fileserver FS01
On the file server:
Checked auditing for both success and failure for "everyone".
These settings are inherited by the subfolders.
Executed: GPUPDATE /FORCE /BOOT /LOGOFF and restarted the file server.
Verified the GPO to have been applied successfully by GPRESULT /R
Problem:
----------
We tried checking the event viewer for several days now by filtering on IDs 4656 and 4663 but no entries at all are found.
It seems the server is not logging/auditing any object access.
The process appears so simple yet we verified every step over and over again and still the server is not logging.
Any tips/tricks or assistance is appreciated.
Continue reading...