checking folder with audit

Dennis 1 Reputation point
2021-09-10T16:14:53.95+00:00

I have setup audit on one folder on win 10 which I want to check if domain admins or local admins browsing it or doing something in that folder. If that is a case than I get email. Problem is because I get now constantly emails every minute. that folder use user"system" copy.exe from network share to that folder.

Now I have setup audit for that folder for

type principal accesss inherited from applies to

success Administrators (Administrators domain\adminstrators) read&execute none This folder, subfolders and files

success local account and member of Administrator group Read&execute none This folder, subfolders and files

I have setup in task schedulerBasic Event task

Trigger When an even is Logged Security

Action Microsoft windows security auditing

Finish 4656

So when event 4656 is logged task scheduler start to send me an email.

But nobody is browsing or doing anything in that folder except system and copy.exe which copy files from and to a subfolder of that folder.

What did I do wrong?? I want only to start action sending mails when any domain administrator or local administrator browse, read or change that folder or subfolders and files.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,094 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,641 Reputation points
    2021-09-13T07:36:33.597+00:00

    Hello @Dennis ,

    I don't find anything unusual in your settings, and your approach is correct to filter out SYSTEM and select groups or users. Verify here: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder

    Could it be that in fact there is no Administrator or local user operating in that folder? Have you tried to audit a newly created local user, add it to the Audit folder settings and force the operation (access, read, modify) and check again the events?

    Best regards,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.