Thanks. I seem to remember trying to enable this kind of auditing and it was like drinking from a fire hose...
Dave -----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, September 20, 2011 11:01 PM To: NT System Admin Issues Subject: Re: NTFS permissions On Tue, Sep 20, 2011 at 1:10 PM, David Lum <david....@nwea.org> wrote: > I can turn on logging to capture ACL changes can't I? You would need to enable "File access" auditing in Audit Policy (under Security Policy in GPO-land). You would then need to create SACLs (Security ACLs, used for auditng (permissions are DACLs)) on the objects in question (files/folders), auditing Success for WRITE_DAC. That's the theory, anyway. In practice, NT generates all kinds of audit events for permissions that were simply requested but never used, and it turns out that lots of things (including Windows Explorer) request everything for everything they do. Microsoft eventually introduced some separate event IDs for actually *using* the thing being audited. I don't remember if that had shown up by 2003 or not. And without subcategory audit policies (I'm pretty sure those are not in 2003) you still get a ton of useless audit events to slow down the system and fill up the log. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin