Hi,
I'm trying to list files that are deleted in certain directories. For this, I've enabled auditing for object access in the local security policy.
To refine the selection, I've used the auditpol tool to disable most of the non-significant subcategories:
auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disableauditpol /set /subcategory:"File System" /success:enable /failure:disable
auditpol /set /subcategory:"Registry" /success:disable /failure:disable
auditpol /set /subcategory:"Kernel Object" /success:disable /failure:disable
auditpol /set /subcategory:"SAM" /success:disable /failure:disable
auditpol /set /subcategory:"Certification Services" /success:disable /failure:disable
auditpol /set /subcategory:"Application Generated" /success:disable /failure:disable
auditpol /set /subcategory:"File Share" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
auditpol /set /subcategory:"Detailed File Share" /success:disable /failure:disable
Only File System success should be logged.
All went well for a while, and I made a filter for the event log to see only events with ID 4656.
But since recently, the local security policy was set to "No auditing". I've checked, and the only GPO that is being applied to this server, is configured for auditing as "Not defined".
Now, each time I set the auditing in Local Security Policy to "success" (for object access), all subcategories are enabled. When I run the above lines to refine things a bit, I notice that auditing is set to "no auditing" in the local security policy.
So I guess I'm a bit stuck right now..