Windows server 2003 share folder file access log

所有回覆

• 

  

  0

  登入以投票

  Dear Customer,

   

  Please understand that we provide support for issues with Simplified Chinese, Traditional Chinese and English. We do not support any posts in Cantonese.

   

  Please send question with either Simplified Chinese or English, thanks.

   

  Sincerely,

   

  Tom Zhang

   

  ---

  Tom Zhang – MSFT

  • 已標示為解答 Tom Zhang – MSFTModerator 2010年6月4日 上午 08:27

  2010年5月27日 上午 03:14

  版主
• 

  

  0

  登入以投票

  Oh sorry,

   

  I have a Windows Server 2003 and I would like to configure the system to have file access log on some share folder.

  The logs should contains read/write/modify/create and of course with the date and users access.

   

  Is it possible?

  2010年5月27日 上午 03:41
• 

  

  0

  登入以投票

  Not sure it can 100% satisfy your request~~~

  In GPO of the Windows Server

  Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

  It has some audit control for users account

  Enable Object Access which can allow u to have object access events under windows server log

   

  ---

  MCPD .Net, CCNP Love programming, but not an IT Guy Haha! :D

  • 已提議為解答 Jackson_Chong 2010年5月27日 上午 06:02
  • 已標示為解答 Tom Zhang – MSFTModerator 2010年6月4日 上午 08:27

  2010年5月27日 上午 06:02
• 

  

  0

  登入以投票

  Yes, I'd did so already, and I found some logs on "secutiry" under event viewer, but there are no file path.

  Is it correct or something I set wrongly?

  2010年5月27日 上午 09:47
• 

  

  0

  登入以投票

  Help help, any one can help me ?

  2010年5月31日 上午 01:09
• 

  

  0

  登入以投票

  Hi! Joe, try try this steps

  Configure an audit entry on the specific folder(s) that you wish to audit.

  Right-click on the folder-->Properties-->Security-->Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file, or you can just audit for Delete operations.
  
  After you've done both of these steps, any file deletions will show up in
  the Security log.

  I need some time to verify it, just find these steps in Microsoft~~~

  :D

   

  ---

  MCPD .Net, CCNP Love programming, but not an IT Guy Haha! :D

  2010年5月31日 上午 03:47
• 

  

  0

  登入以投票

  Is the Event ID 578 under the Security log?

   

  I got a lot of Event Id 578 logs now, one of the sample listed below.

   

  Privileged object operation:

  Object Server: Security

  Object Handle: 1952

  Process ID: 2576

  Primary User Name: administrator

  Primary Domain: ***-MYDOMAIN-***

  Primary Login ID: (0x0,0x2E319ACF)

  Cluent User Name: administrator

  Client Domain: ***-MYDOMAIN-***

  Client Login ID: (0x0,0x2E319ACF)

  Privileges: SeSecutiryPrivilege

  
  

  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

  
  

  
  

  2010年5月31日 上午 06:28
• 

  

  0

  登入以投票

   

  You can read Chinese?  

  Bro, it is event 560

  物件開啟:
    物件伺服器: Security
    物件類型: File
    物件名稱: C:\Temp\Share
    處理識別碼: 3428
    操作識別碼: {0,233285484}
    程序識別碼: 3944
    影像檔案名稱: C:\WINDOWS\explorer.exe
    主要使用者名稱: jacksonchong
    主網域: Macrosoft
    主要登入識別碼: (0x0,0x213D5)
    用戶端使用者名稱: -
    用戶端網域: -
    用戶端登入識別碼: -
    存取:  READ_CONTROL
     SYNCHRONIZE
     ReadData (或 ListDirectory)
     ReadEA
     ReadAttributes
     
    特權:  -
    限制的 Sid 數目: 0

  
  請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。

   

  You see it?

  Or the GPO cannot boardcast to your machine?

  :D

   

  ---

  MCPD .Net, CCNP Love programming, but not an IT Guy Haha! :D

  2010年6月2日 上午 03:23
• 

  

  0

  登入以投票

  Hi,

   

  I've got the event 560, but there is only folder listed inside, no the actual file name.

  Do you know how can I get the log by each file access?

  2010年6月8日 上午 01:50
• 

  

  0

  登入以投票

   

  Under Win2k3 SP2

  Object Access enabled by above method

  Details of file access (Copy)

   

  物件開啟:
    物件伺服器: Security
    物件類型: File
    物件名稱: C:\Temp\Share\Service-Interview-Audit.ps1
    處理識別碼: 1612
    操作識別碼: {0,763101056}
    程序識別碼: 3944
    影像檔案名稱: C:\WINDOWS\explorer.exe
    主要使用者名稱: jacksonchong
    主網域: CONVOY
    主要登入識別碼: (0x0,0x213D5)
    用戶端使用者名稱: -
    用戶端網域: -
    用戶端登入識別碼: -
    存取:  READ_CONTROL
     SYNCHRONIZE
     ReadData (或 ListDirectory)
     ReadEA
     ReadAttributes
     
    特權:  -
    限制的 Sid 數目: 0

  
  請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。

   

   

  ---

  MCPD .Net, CCNP Love programming, but not an IT Guy Haha! :D

  2010年6月9日 上午 02:50
• 

  

  0

  登入以投票

   

  Access Log for delete

   

  物件開啟:
    物件伺服器: Security
    物件類型: File
    物件名稱: C:\Temp\Share\Shiela.txt
    處理識別碼: 4996
    操作識別碼: {0,763151513}
    程序識別碼: 3944
    影像檔案名稱: C:\WINDOWS\explorer.exe
    主要使用者名稱: jacksonchong
    主網域: CONVOY
    主要登入識別碼: (0x0,0x213D5)
    用戶端使用者名稱: -
    用戶端網域: -
    用戶端登入識別碼: -
    存取:  DELETE
     SYNCHRONIZE
     ReadAttributes
     
    特權:  -
    限制的 Sid 數目: 0

  
  請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。

   

   

  Why no log?

  You are using 2k3 Server?

  And your XP updated the service packs?

   

   

  ---

  MCPD .Net, CCNP Love programming, but not an IT Guy Haha! :D

  2010年6月9日 上午 02:51