This article has been archived. It is offered "as is" and will no longer be updated.
Source: Microsoft Support
RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
On Windows Server 2003 and Windows Server 2008 machines, when you set the audit flag by GPO, the audit setting applies on a file with the scope of "files only." When this GPO is applied, audit is not set on the file. If we use Security Templates in MMC to create a template with the audit setting, the same issue occurs.
Apply onto Applies permissions to current folder Applies permissions to subfolders in current folder Applies permissions to files in current folder Applies permissions to all subsequent subfolders Applies permissions to files in all subsequent subfolders
This folder only X
The folder, subfolders and files X x x x x
This folder and subfolders X x x
This folder and files X x x
Subfolders and files only x x x x
Subfolders only x x
Files only x x
Based on the documentation, "Files only" applies to files in the current folder (not the file itself). So the SDDL generated by group policy editor is correct.
To set the permission on the file, we should use "This folder only." The wording is misleading.
Use "This folder only" instead of "Files only" when setting the audit flag.
On a Win2K8 machine, open the Security Template MMC.
Create a new template
Select File System
Add a file to audit
Select advanced setting
Select a user and choose apply to "Files only"
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.