Operation-based auditing on files or folders

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Operation-based auditing on files or folders

Operation-based auditing is a new feature in the Windows Server 2003 family. In earlier versions of Windows, information that was gained from object access auditing was not as detailed as it is with operation-based auditing. While you could determine that a user attempted to access an object, there was no way to be sure that the object was accessed in every way that was documented in the audit event. With operation-based auditing, you can audit operations on files and folders. This means that you can audit certain operations, such as Write, as well as the accessing of objects. Operation-based auditing is enabled when object access auditing is enabled on a file or folder. Object access events are recorded, along with operations such as Write, in the security log.

To enable operation-based auditing, you must:

• Enable the Audit object access policy setting. For more information, see Define or modify auditing policy settings for an event category.

• Apply audit policy to a specific folder. For more information, see:

  • Apply or modify auditing policy settings for a local file or folder

  • Apply or modify auditing policy settings for an object using Group Policy

Operation-based audits are categorized as object audits, and they are logged as event number 567 in the security log. They are generated the first time an operation is performed. Only files and folders can be set up to generate operation-based audits.