I have setup audit on one folder on win 10 which I want to check if domain admins or local admins browsing it or doing something in that folder. If that is a case than I get email. Problem is because I get now constantly emails every minute. that folder use user"system" copy.exe from network share to that folder.
Now I have setup audit for that folder for
type principal accesss inherited from applies to
success Administrators (Administrators domain\adminstrators) read&execute none This folder, subfolders and files
success local account and member of Administrator group Read&execute none This folder, subfolders and files
I have setup in task schedulerBasic Event task
Trigger When an even is Logged Security
Action Microsoft windows security auditing
Finish 4656
So when event 4656 is logged task scheduler start to send me an email.
But nobody is browsing or doing anything in that folder except system and copy.exe which copy files from and to a subfolder of that folder.
What did I do wrong?? I want only to start action sending mails when any domain administrator or local administrator browse, read or change that folder or subfolders and files.