|
Posted by Roger Abell [MVP] on September 21, 2006, 12:30 am
Please log in for more thread options
You ask if one may enable such auditing for only one area.
Yes, certainly, even just for one file. Recall that one does
not need to only enable audit of object access, but also to
go into the NTFS security dialog's Advanced view and set
audit specifications in the Audit tab. If you did not need to
do this last step, then someone had done so earlier. Audit
records will only be written for access in areas where this
has been done and only for the accesses that were specified.
Note however, you cannot audit "copies" but you can audit
reads. The other part of a copy is a write somewhere else,
which cannot be audited on the read-from area.
> Hi,
>
> I've been trying to work out an easy method of detecting if a file is
> copied off the server by a remote computer/user. By enabling object access
> in the audit logs for the domain controller it shows this in the event
> logs, but the log very quickly fills up with normal usage. Is it possible
> to only enable object access logging for 1 area or is there another way to
> determine if a file is copied and who by?
>
> Jason
| 
XML Sitemap