Use Object Access Reports to view user access to files, directories and registry data. For example, receive a daily email Report of users that accessed a specific directory.
This Report uses data previously downloaded to the Primary Log Repository or other explicitly assigned Log Repository.
This Report enables you to limit results to a subset of users you define or are listed in Active Directory.
An Event Log Consolidation and Monitoring Template must be assigned to each targeted computer.
Supports Windows Server 2012, 2008 R2 and 2008. Does not support Server 2003.
There are 3 steps to create an Object Access Report:
1. Configure the server for Object Access Auditing.
2. Assign the Event Log Consolidation and Monitoring Template to the server.
3. Create an Object Access Report.
To configure the server for Object Access Auditing:
1. Select Start > Administrative Tools > Local Security Policy. The Local Security Policy view displays.
Object Access Reports
2. Select Security Settings > Advanced Audit Policy Configuration > Object Access.
3. From the Subcategory list, double-click Audit File System. The Audit File System Propeties view dislpays.
4. Check Configure the following audit events, Success and Failure.
5. Click OK.
6. Open Windows Explorer (Windows Key + E).
Object Access Reports
7. Navigate to the folder you want to enable auditing, right-click and select Properties.
The Audit File System Propeties view dislpays.
8. Select the Security tab then click Advanced.
The Advanced Security Settings view displays.
9. Select the Auditing tab then click Add.
Object Access Reports
The Auditing Entry view displays.
10. Click Select a principal. The Select User or Group dialog displays. Enter Everyone.
Click OK. The principal is set.
11. Set the Type to All.
12. From Basic permissions check Full control.
Click OK. The auditing entry is added.
13. Click OK. The Properties dialog displays.
14. Click OK.
For more information see the following Microsoft articles:
· Server 2012: Scenario: File Access Auditing
· Server 2008 R2: Managing Security Auditing
To assign the Event Log Consolidation and Monitoring Template:
Each computer you would like to Report on must be configured to download and consolidate the Security Event Log entries. Server Manager includes a sample Template called Event Log Consolidation and Monitoring that has been pre-configured to download Security Event Log entries once an hour. Once assigned to each target computer, Server Manager will automatically download and consolidate the Security Event Log entries every hour.
1. From the Object Explorer, navigate to Templates > Sample Templates.
2. Right-click Event Log Consolidation and Monitoring and click Assign > Computer, Device or Host. The Select Multiple Computers, Devices and Hosts dialog displays.
3. Check the target computers then click OK. The Template is assigned to the checked computers.
To create a Report:
1. Select File > New > Report. The Select Report Type dialog displays.
2. Double-click Log Monitors > Event Logs > Object Access. The Report Properties dialog displays.
3. Use the General tab to specify a unique Name and schedule the frequency to run.
Object Access Reports
4. Use the Logs tab to optionally add Explicitly Assigned Consolidated Logs. For example, if you have restored an archived database which you would like to run this report against, use this page to add the security logs contained within the target Auxiliary Database.
5. Use the Options tab to:
1. Select Summarize to group similar events. When summarized, an extra column is added that displays the count of entries.
2. Use the Group by drop-down to select the column to group by.
3. Assign a Filter to limit the entries in the Report.
6. Use the Date and Time Range tab to select the date range to include within the Report.
7. Use the Filter Users/Accounts tab configure to include or exclude specific users.
8. Use the Actions tab assign to assign email and/or file output Actions as well as error Actions.
9. Use the Report Assignments view to assign hosts, host groups and Report groups.
10. Click OK.
Action Variable Tags
The following header tags are available:
DATE The date the Report was generated.
TIME The time the Report was generated.
LOCALHOST The host name of the computer where the software is installed.
MESSAGE A detailed message.
NAME The Report name.
OBJECT_TYPE The type of Report.
HOST The target host name(s).
TEXT: comma delimited
HTML: line feed delimited (<br/>) IPv4 The target IPv4 address(es).
TEXT: comma delimited
HTML: line feed delimited (<br/>) IPv6 The target IPv6 address(es).
TEXT: comma delimited
HTML: line feed delimited (<br/>) LOG The target log name.
DATE_RANGE The time span to check (e.g. daily).
STATE_IMG The object state image (e.g. OK, Warning, Critical, Error).
Applies to HTML output only.
The following entry tags are available:
DATE The date the entry was generated.
TIME The time the entry was generated.
HOST The computer the entry was generated on.
USER The username of the account that triggered the event.
DOMAIN The user's domain.
OBJECT_NAME The directory, file or registry data.
PROCESS_NAME The full path to executable.
ACCESS_FLAGS The access type (e.g. Read, Write, Delete).
For example:
{NAME}
{DATE_RANGE}
Date, Time, Object, Process, User, Domain, Access
<ITEM>{DATE}, {TIME}, {OBJECT_NAME}, {PROCESS_NAME}, {USER}, {DOMAIN}, {ACCESS_FLAGS}</ITEM>