Configuring Audit Polices for Windows File Server Auditing

  1. Open Group Policy Management Console(GPMC).
  2. Create a New GPO “ADAuditPlusFSPolicy”
  3. Link the “ ADAuditPlusFSPolicy” at Domain level
    1. Open GPMC|right click the Domain |Select Link an Existing GPO|Select the “ADAuditPlusFSPolicy”
    File Server Group Policy
  4. Edit the "ADAuditPlusFSPolicy"(right click the policy and "Edit")
  5. Configure required Advanced Audit Policies for 2k8 and above(recommended). This settings can be found under
    1. Computer Configuration|Windows Settings|Security Settings|Advanced Audit Policy Configuration|System Audit Policies
    2. Audit File Shares :
      1. Select Object Access -> Audit File System(Success, Failure), Audit Handle Manipulation(Success, Failure), Audit File Share(Success).
      2. Select Policy Change -> Audit Policy Change(Success, Failure)
    File Server Audit Policies
  6. Audit Polices required For Windows File Server Auditing (for 2k3 and below)
    1. Computer Configuration|Windows Settings|Security Settings|Local Polices|Audit Policy
    2. Audit File Shares: Configure Object Access (Success,Failure).
    File Server Audit Policies 2k3
  7. Force Advanced Audit Policy
    1. Computer Configuration|Windows Settings|Security Settings|Local Polices|Security Options
    2. Enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
    Force Advanced Audit Policy
  8. Remove “Apply Group Policy” privilege for Authenticated Users in the above created GPO, follow the steps to do the same.
    1. Get the GUID value for "ADAuditPlusFSPolicy"
      1. Open GPMC, click on the "ADAuditPlusFSPolicy"
      2. Click on the "Details" tab(right side) 
      3. Note the unique id value of "Unique ID"
    2. Remove "Apply Group Policy" privilege for Authenticated Users
      1. Open "dsa.msc"; Start -> Run -> dsa.msc
      2. "Domain" -> System -> Policies -> "Unique ID"
      3. Right click the "Unique ID" -> Security tab -> Advanced
      4. Remove "Allow" for "Apply Group Policy"
    Apply Group Policy Privilege
  9. Create a new Global Security Group and add the File Servers to be audited in that group.
    1. Open ADUC|Create a new Global Security Group “ADAuditPlusFS” . Add configured File Servers into a member of the above created group.
    Workstation Group Add
  10. Add the  above group “ADAuditPlusFS “ into the "Security Filtering" settings of “ADAuditPlusFSPolicy” GPO.
    11. Add Security Filtering File Server
    Copyright © 2017, ZOHO Corp. All Rights Reserved.
    ManageEngine