Hi All. I've enable success file audit on fileserver with Shared Folders that is included in DFSR, so now a have a lot of success events in security log with such messages: "...Object Name: \Device\HarddiskVolume8\System Volume Information\DFSR\Private\{9B0F30EF-4E1C-4AA5-9FD3-BBC4ED589FD1}-{BA9C58AA-B81B-43EF-AC03-68DC050876F0}\Installing\TfBillEdit_TPatContr-{350BE1AD-B04E-45EA-84AC-9CF4EC3CC752}-v29924488.grid...".
I look at audit rules on DFSRPrivate folder and subfolder, but there is nothing. How can i stop such events in security log?
This is the core version of Windows Server 2012, so i try to get audit rules via powershell:
$acl=get-acl $FSObject -Audit
$acl.getauditrules($true,$true,[System.Security.Principal.NTAccount])
Audit was setted by this script:
auditpol /set /subcategory:"{0CCE921D-69AE-11D9-BED3-505054503030}" /success:enable
$SystemShares=@()
if (!$Folder) {
Get-PSDrive -PSProvider FileSystem | Select -ExpandProperty name | % {$SystemShares+="$_$"}
$SystemShares+="Admin$"
$SystemShares+="IPC$"
$SystemShares+="print$"
$Shares=Get-SMBShare | ? {$_.name -notin $SystemShares}
} else {
if (Test-Path $Folder) {
$Shares=@()
$Shares+=$Folder
} else {write-host $Folder "not found, break script"; break}
}
$AuditUser = "Everyone"
$AuditRules = "Delete,DeleteSubdirectoriesAndFiles,ChangePermissions,Takeownership,Write"
$InheritType = "ContainerInherit,ObjectInherit"
$AuditType = "Success"
$ACL = New-Object System.Security.AccessControl.DirectorySecurity
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType,"None",$AuditType)
$ACL.SetAuditRule($AccessRule)
ForEach ($Share in $Shares) {
Write-Host "Processing >",$Share.Path
$ACL | Set-Acl $Share.Path
}