Hi all! I need to audit a shared folder within my domain controller to be informed when people create or delete any file or folder. I added my options into the specific folder into Permissions > Advanced > auditing and I get the results into event viewer. The thing is that the logs are not readable and I can't find the path to the created files. The object name never show the path to the file. Here I have an example: -------------------------------------------------------------------------- Object Open: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: DC=etclusi,DC=uab,DC=es Handle ID: 97982632 Operation ID: {0,68866092} Process ID: 464 Process Name: C:\WINDOWS\system32\lsass.exe Primary User Name: RUYSAN$ Primary Domain: ETCLUSI Primary Logon ID: (0x0,0x3E7) Client User Name: RUYSAN$ Client Domain: ETCLUSI Client Logon ID: (0x0,0x3E7) Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Privileges: - Properties: --- domain DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Domain Password & Lockout Policies lockOutObservationWindow lockoutDuration lockoutThreshold maxPwdAge minPwdAge minPwdLength pwdHistoryLength pwdProperties Other Domain Parameters (for use by SAM) serverState serverRole modifiedCount uASCompat forceLogoff domainReplica oEMInformation Domain Administer Server Access Mask: 0 -------------------------------------------------------------------------- Francisco Domingues

Sounds like you may not have object access auditing enabled at the GPO level. You may want to check the Domain Controller Security Policy settings and make sure that Object Access is on for success/failure and then double check your file level auditing settings... make sure they inherit or are applied all the way down to the level you're testing. Then look for event 560... should look like this: Object Open: Object Server: Security Object Type: File Object Name: I:\home\zaminss\Old laptop\Sent 2008.pst File creates and mods are harder to spot in all the noise of events you'll see when you get Object Access enabled but file deletes are very easy to spot: first you'll see a 560 even stating the object access with a lot more information than you need (I removed all extra info) but way at the bottom it will say access DELETE: Object Open: Object Server: Security Object Type: File Object Name: I:\home\bbambach\New Text Document.txt Handle ID: 10216 Accesses: DELETE Then immediately after you'll see a 564 even that's very short but only indicates an "object" was deleted and the events tie together via the Handle ID: 10216 (in my case) Object Deleted: Object Server: Security Handle ID: 10216 Process ID: 4 Image File Name: