Windows Server Troubleshooting - Auditing

Click here to start saving with ING DIRECT!

Home | Up | Methodology | Architecture | Memory | Processor | Registry | File System | Network | Active Directory | Contents

Get the Book

Major Topics
File System
Active Directory
Other Topics
Task Manager
System Monitor
Computer Management
Device Manager
Start Options
Terminal Services
Blue Screen
Help Center
Fault Tolerance
More Information
More Detail

eXpert Genealogy

Memory from

2003-2006 Team Approach Limited
All rights reserved

What's happening? man!

The Auditing system is an important troubleshooting tool. If you have a problem where files are being changed or deleted unexpectedly, you can use the audit system to determine who is accessing the files and when the access occurs. Activating and viewing the audit trail for file access is done with 3 different programs.

  1. Local Security Setting is used to set the Audit Policy. To audit file access you need to enable auditing for success and/or failure for object access.
  2. Windows Explorer is used to select the files or folders of interest. You need to use the Advanced Security dialog to get to the auditing options. The dialog image below shows you some of the auditing options.
  3. Once auditing is enables by steps 1 and 2, you will see all access to the files in the Event Viewer's Security log as shown below.

 Enabling too much auditing will result in additional system overhead to update the Security log.

An example troubleshooting scenario is a case where a program fails because of a file security problem. If the file with the security problem is not identified, how do you determine which security permission to change? Use auditing to determine the problem file and then change the security permissions so that you resolve the problem.

The following dialog shows how Audit Policy settings are enabled. Notice how both failures and successful transactions can be audited.

The following dialog shows a SACL System Access Control List which defines a security principal and which of the security permissions will be audited. The following dialog shows the permissions of the file system. Other objects such as printers, registry keys, and AD objects, have different permissions.

The Computer Management console Event Viewer Security log shows the audit trail of audited transactions. Notice that both failures and successful transactions are shown.