How to configure granular audit policy on a file server (Windows Vista or later)?
Note: It is recommended that Advanced Audit Policies are set at the GPO level rather than locally. However, if you or Technical Support have identified a need to set policies locally, please proceed.
In Windows Server 2008 R2, Server 2012 and Windows 7, granular audit policies are integrated with the Group Policies, so they can be applied via a Group Policy Object (GPO) or Local Security Policies.
A. Applying Granular Audit Policies via Local Policies
To apply granular audit policies via Local Policies, perform the following:
1. On a monitored file server, open the Local Security Policy snap-in (navigate to Start->Run and type ‘secpol.msc’).
2. Navigate to Security Settings -> Local Policies -> Security Options and locate the Audit: Force audit policy subcategory settings (Windows Vista or later) policy:
Figure 1: Local Security Policy Snap-In
4. Navigate to Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access and enable the following subcategories: Audit File System and Audit Handle Manipulation.
To do this, double click a subcategory, select the Configure the following audit events: option and select the Success and/or Failure checkboxes depending on the type of events you want to track:
Figure 3: Audit File System Properties
5. Update your Group Policies by executing the gpupdate /force command in the command line interface.
Note: You can check your current effective settings by executing the following command:
auditpol /get /category:”Object Access”
B. Applying Granular Audit Policies via Group Policies
In order to apply a granular audit policy configuration via a Group Policy Object (GPO), you must have a Windows Server 2008 R2 domain controller or member server with the Group Policy Management Console installed. For instructions on how to do this, refer to the following technical article by Microsoft: Advanced Security Audit Policy Step-by-Step Guide
Note: The current version of File Server Change reporter ignores granular auit policy settings, as a result of which you will be getting warning messages if the audit policy subcategory configuration is applied (these warning messages do not affect the product functionality). Future product versions will be able to detect if granular audit policies are applied and to verify these settings.
For more information refer to the following technical article: How to Configure Granular Audit Policy on a File Server monitored by NetWrix File Server Change Reporter.