I'm having a horrible time trying to get the right items audited. Started out with a GP, setting the basic auditing setting of Object Access to Success, Failure. Unfortunately, this filled my security log with event id 5156 entries. Did some research, and found these entries were from auditing of Filtering Platform Connection, which I don't need audited. Figured out exactly what I do need audited, which is File Share and Handle Manipulation. Now, I can't get these settings to stick. I've disabled all settings in the GPO that set the basic auditing, and on the file servers themselves, I've made sure that the basic Object Access is set to No Auditing, and the advanced settings are set to Success, Failure.
On one server, when these are set, I reboot, and the basic setting is back to Success, Failure, which then enables all the subcategories as well. On the other server, when I look at Local Security Policy, it looks like things are correct, but when I go to a command line and use: auditpol.exe /get /category:*, it shows Object Access set to No Auditing for everything. Anyone have any advice? Joe Heaton Enterprise Server Support Information Technology Operations Branch Data and Technology Division CA Department of Fish and Wildlife 1807 13th Street, Suite 201 Sacramento, CA 95811 Desk: (916) 323-1284
