Hi I needed to setup auditing for the purpose of finding out who keeps deleting files from a specific folder on one of our file servers.
I have accomplished this by turning on "Success" auditing in the "Audit File System" policy inside the "Advanced Audit Policy configuration"\"System Audit Policies - Local Group Policy Object"\"Object Access" section of local group policy on the file server.
Then I went into the folder in question and set a SACL to enable "Success" auditing on "Domain Users" for "Delete" and "Delete Subfolders and files"
This seems to work, if I delete a file inside the folder in question I get a few events pertaining to the deletion. That's all well and good but I am also getting heaps of event 4985's as per below. How can I stop these from being logged? I only want the delete events, and I have only turned an SACL on the delete events for one particular folder but somehow it causes all these other unrelated logs to appear! I don't know whats causing them except that its related to the file system auditing I set up.
Any assistance would be appreciated!!
________________________________________________________
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 16/01/2013 12:12:44 PM
Event ID: 4985
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: ******.********.net.au
Description: The state of a transaction has changed.
Subject:
Security ID: ****\*****
Account Name: *******
Account Domain: **********
Logon ID: 0x4a75df44
Transaction Information:
RM Transaction ID: {c67fd02e-59e5-11e2-8514-005056ba0011}
New State: 48
Resource Manager: {55626fec-f32a-11df-b181-0050569d465d}
Process Information:
Process ID: 0x380
Process Name: C:\Windows\System32\svchost.exe
________________________________________________________