Cant get File Audit Settings to generate events for folder creation

Question

I am trying to monitor folder creation, moves and renames for a certain directory.

I have enabled "Audit File System" in group policy.

And have configured the folder audit settings per below.

When looking at the event log in regards to folders I have observed the following.

• Creating Folders - No Event
• Deleting Folders - 4663 Event with Delete Details
• Folder Move - 4663 Event with Delete details for the folder being moved, 4663 Event with AddSubdirectory details for the parent of the folder getting the file added.

I would have expected some kind of event for just creating a folder, I would have also expected the move to also show this same event or have the name of the sub-directory being added in the add sub-directory event.

Is this standard and the information just isn't there, or have I misconfiugred something?

Answer 1

Hi Hugh,

Thanks for your post. Please understand these filters don't simply give you a list of files/folders created. They would need to be coupled with access masks to understand exactly which files/folders were created or deleted.

File system object access auditing is not enabled by default in Windows. Access auditing can be enabled via Group Policy. To configure the audit policy on a standalone server, use the local Group Policy Editor console (gpedit.msc). If you need to enable the audit policy on multiple computers in an AD domain, use the domain GPO management console (gpmc.msc).

• Open the GPO editor and go to Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access
• Open the Audit File System and specify that only successful access to filesystem objects should be logged (Configure the following audit events -> Success)
• Save the changes and update local Group Policy settings with the command: gpupdate /force

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.