Share via


Operation-based auditing on files or folders

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Operation-based auditing on files or folders

Operation-based auditing is a new feature in the Windows Server 2003 family. In earlier versions of Windows, information that was gained from object access auditing was not as detailed as it is with operation-based auditing. While you could determine that a user attempted to access an object, there was no way to be sure that the object was accessed in every way that was documented in the audit event. With operation-based auditing, you can audit operations on files and folders. This means that you can audit certain operations, such as Write, as well as the accessing of objects. Operation-based auditing is enabled when object access auditing is enabled on a file or folder. Object access events are recorded, along with operations such as Write, in the security log.

To enable operation-based auditing, you must:

Operation-based audits are categorized as object audits, and they are logged as event number 567 in the security log. They are generated the first time an operation is performed. Only files and folders can be set up to generate operation-based audits.