File System Auditing option in the Security Templates in MMC is confusing

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
Source: Microsoft Support
RAPID PUBLISHING
RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
Symptoms
On Windows Server 2003 and Windows Server 2008 machines, when you set the audit flag by GPO, the audit setting applies on a file with the scope of "files only."  When this GPO is applied, audit is not set on the file. If we use Security Templates in MMC to create a template with the audit setting, the same issue occurs.
Cause


Apply onto Applies permissions to current folder Applies permissions to subfolders in current folder Applies permissions to files in current folder Applies permissions to all subsequent subfolders Applies permissions to files in all subsequent subfolders

This folder only X

The folder, subfolders and files X x x x x

This folder and subfolders X x x

This folder and files X x x

Subfolders and files only x x x x

Subfolders only x x

Files only x x

Based on the documentation, "Files only" applies to files in the current folder (not the file itself). So the SDDL generated by group policy editor is correct.

To set the permission on the file, we should use "This folder only."  The wording is misleading.
Resolution


Use "This folder only" instead of "Files only" when setting the audit flag.
Advanced Steps
More Information
  1. On a Win2K8 machine, open the Security Template MMC.
  2. Create a new template
  3. Select File System
  4. Add a file to audit
  5. Select advanced setting
  6. Select Audit
  7. Select a user and choose apply to "Files only"
    DISCLAIMER
    MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

    TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.
    Properties

    Article ID: 958002 - Last Review: 01/14/2015 10:03:34 - Revision: 1.0

    Windows Server 2008 Standard, Windows Server 2008 Enterprise, Windows Server 2008 Datacenter, Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Standard x64 Edition, Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise x64 Edition, Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows 2000, Microsoft Windows 2000 Professional Edition, Microsoft Windows 2000 Enterprise Edition, Microsoft Windows 2000 Datacenter Server

    • kbnosurvey kbarchive kbnomt kbrapidpub KB958002
    Feedback