I have network shared drive (hosted on my file server) that I would like to audit. On my DC I have set up group policy called "My auditing policy".
Then under In “Group Policy Management Editor” under “Computer Configuration” - “Policies” - “Windows Settings” - "Security Settings" - “Local Policies” and under "Audit Policy" I defined policy to audit "Success" and Failure". Then On my DC I run "gpupdate /force" which gave me warning that some policy will involve re-directed drives and that I needed to log off in order for policy to take effect which I did.
I then proceeded to my file server where this network shared drive is located. This drive has sub directories...
my shared drive
- directory 1
- directory 2
- directory 3
- ..............
- ...............
I right click directory 2 and then "Properties" - "Security" - "Advanced" and enabled auditing of this folder (where Principal was "Everyone").
I went as a regular user (usernameA) on different computer (all machines are domain members) and opened file within directory 2 and when I went into my file server machine and looked in Event Viewer under security I could not find any logs for "usernameA". So I have 2 questions...
- How does the policy know which directory needs to be audited?
- Why am I not seeing any logs in Event Viewer on my file server?