Sunday, March 29, 2015

Folder Auditing in Windows Server 2012 R2

i’m blogging about Domain Log On Auditing, today lets go through a bit about how you can audit folder (the idea is very simple, we wanted to know who access what…).
1 – Create a new GPO in the root of your AD, right click domain name and click Create a GPO in this domain, and link it here..
1
2 – Give a name of your new GPO, in this demo i just give a simple name call Object Auditing..
2
3 – Next, right click Object Auditing GPO that you just created and click Edit…
3
4 – Once the new GPO open, please browse to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy and then on the right pane, look for Audit object access and double click on it…
— In the Audit object access Properties box, click Define these policy settings box then select both the Success and Failure boxes, and then click OK to proceed…
4
5 – Next, go to folder that you plan to audit and in my demo i will be using my previous DFS folder (please refer to https://mizitechinfo.wordpress.com/2013/08/21/step-by-step-deploy-dfs-in-windows-server-2012-r2/ for more info how to deploy DFS..),
— right click the folder(DataFiles) and click Properties…
5
6 – on the DataFiles properties box click Edit… then add Domain Users in the Group or user names:
— you can give any permissions you prefer follow by your organization policy and best practice…
6
7 – Next, click Advanced botton…
7
8 – on the Advanced Security Settings for DataFiles box, click Auditing and then click Add..
8
9 – Next, on the Auditing Entry for DataFiles box, click Select Principal..
9
10 – then add Domain Users as your Principal, choose Type – All, and on the Basic Permissions, you can choose Full control until write, and then click OK…
10
11 – Next, log in to your client OS as domain user (in my demo i log in to my Wndows 8.1 client and execute gpupdate /force command..)
11
12 – once you successfully log in to your client PC, browse to Branchdocs folder and delete any folder / files that you have)
–** THIS IS ONLY DEMO PURPOSES, DO NOT TEST THIS FUNCTION IN REAL PRODUCTION SITUATION!!!)
12
13 – next, return to your  domain server and then open Event Viewer, in the Event Viewer expand Windows Logs, and then click Security… search for Event ID 4663, you notice that our demo is successfully because the event was recorded by Event Viewer.
— in the Event Viewer, you can check who’s doing what.. in my demo, domain user name Alan successfully deleted a folder from branchdocs folder…
14
13

No comments:

Post a Comment