I think I may need a little handholding here. I have been working with our new Windows 2008 R2 file server. I am having a problem doing some simple file level auditing.
I turned on Audit Object Access in the local policy. The GPO that applies to this server does not have it set and I only really need it enabled on this server. I have it auditing success and Failure.
After I did that I got deluged with Event ID: 5145. I went to each folder and made sure that I had auditing turned off for each folder and file. I did that to see if it would quite down the logs a little. It did not. I am currently getting about 1500 events of 5145 every second. They all say “ A network share object was checked to see whether client can be granted desired access”
Most of the details look like this:
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 5145
Version 0
Level 0
Task 12811
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2009-10-21T17:27:06.988998000Z
EventRecordID 4035441
Correlation
- Execution
[ ProcessID] 528
[ ThreadID] 544
Channel Security
Computer XXXXX-File.XXXXX.com
Security
- EventData
SubjectUserSid S-1-5-21-619530815-2141852887-1629300891-2071
SubjectUserName SteveW
SubjectDomainName XXXXXXXXXX
SubjectLogonId 0x223b087c
ObjectType File
IpAddress 10.2.50.88
IpPort 1087
ShareName \\*\users
ShareLocalPath \??\E:\shares\users
RelativeTargetName \
AccessMask 0x1
AccessList %%4416
AccessReason %%4416: %%1801 D:(A;OICI;FA;;;WD)
All I am trying to keep track of at this point is logon and logoff events AND files and folders being deleted.
If I have put this into the wrong folder please let me know.