Enable Folder Auditing

This article explains how you can enable auditing of a Windows folder. This is required if you plan to create auditing reports in the SysKit.

By auditing the files and folders access you can report on user activities performed against selected files and folders.

Configuring Group Policy

There are two methods of applying group policy. Login on to your Domain Controller and check if you have Group Policy Management under Administrative Tools.

A) Configuring Group Policy for a domain WITHOUT Group Policy Management feature:

  1. Login to you Domain Controller with an account that has Domain Administrator privileges.
  2. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  3. On the View menu, click Advanced Features.
  4. Right-click Domain Controllers, and then click Properties.
  5. Click the Group Policy tab, click Default Domain Policy, and then click Edit.
  6. Click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
  7. In the right pane, right-click Audit Object Access, and then click Properties.
  8. Click Define These Policy Settings, and then click to select Success.
  9. Click OK.
  10. The changes you made will only take effect when the policy setting is propagated or applied to your computer. Complete either of the following steps to initiate policy propagation right now:
    • Type gpupdate /force at the command prompt of a server and then press ENTER. The policy will be updated.
    • Wait for automatic policy propagation that occurs at regular intervals that you can configure. By default, policy propagation occurs every five minutes.

B) Configuring Group Policy for a domain WITH Group Policy Management feature:

  1. Login to you Domain Controller with an account that has Domain Administrator privileges.
  2. Click Start, point to Programs, point to Administrative Tools, and then click Group policy management.
  3. Click Default Domain Policy, and then click Edit (in case you have a special policy only for terminal servers select that policy).
  4. Click Computer Configurationdouble-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
  5. In the right pane, right-click Audit Object Access, and then click Properties.
  6. Click Define These Policy Settings, and then click to select Success.
  7. Click OK.
  8. The changes you made will only take effect when the policy setting is propagated or applied to your computer. Complete either of the following steps to initiate policy propagation right now:
    • Type gpupdate /force at the command prompt of a server and then press ENTER. The policy will be updated.
    • Wait for automatic policy propagation that occurs at regular intervals that you can configure. By default, policy propagation occurs every five minutes.

After group policy configuration we are going to configure certain folders for auditing:

  1. Login to you server and right click the folder you want to enable auditing for and click Properties.
  2. Choose the Security tab and then click on the Advanced button.
  3. perfLog Properties

  4. First click on the Auditing tab and then click Edit.
  5. Advanced Security Settings

  6. On the Auditing tab, click the Add… button.
  7. Advanced Security Settings

  8. Enter all users/groups whose operations you want to audit. If you want to audit all users in your domain type in “Domain Users”.
  9. Select User, Computer or Group

  10. Select the operations you want to track. We recommend that you select the minimal set of operations. Auditing is a resource consuming operation so you should select just a few operations you want to track here. We recommend to select the following:
    • List Folder / Read Data
    • Create Files / Write Data
    • Create Folders / Append Data
    • Delete

    Auditing Entry for Audit

  11. If there is a folder structure below the current folder, make sure you have selected the “Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object” option.
  12. Replace Auditing Entries

Configuring SysKit

You need to enable collection of event log data under File > Manage > System Jobs and you are good to go. SysKit will start to collect audit information from the Event Log on a regular basis.