Guest Steve Posted August 29, 2007 Posted August 29, 2007 Hi, I have configured object access auditing on a SBS 2003 Server. I have followed MS articles, making sure everything is properly configured. 1- Activate the policy and link it to the domain controller 2- Go to the folder in question and selecting a security group (containing only employee, no system accounts) and setting audit on read, write, etc. The folder is on the D:\ drive. The auditing seems to work, actually it's doing to much, user access to that directory are being logged but also Administrator and SYSTEM account access also to files (mmc.exe and store.exe for instance) that are located on the C:\ drive? The customer wants to easily checked who did what. Sorting through all that info doesn't interest them. Also, strangely, if I look at a particular user's access, I find that the user is making between 5-10 access per seconds to, what seems to me, random directory, no human can click that fast! I'm pretty sure that it is not a virus because all users are having the same kind of multiple access. We are using TrendMicro Ent.Ed. and are up to date in virus defs and engine versions. Handles for each access are differents? Could it be an application, like Trend itself that is causing all of those access? This is an important issue for my customer, the are asking to look for 3rd party solutions if we cannot find a way to make this work! Regards Steve
Recommended Posts