Audit policy windows 2003 server

[zeezam]

Want to audit my fileserver witch is a windows 2003 server.

In my Local security settings I can see the audit policy settings.

Main purpose is to see file change and permission change - is that possible?

How much local disk space should I conspire with?

Is it any setting for that?

[allen2]

The way Microsoft designed the ntfs audit, it logs way too much uneeded informations and it takes way too much time to find what happened this way. First i'd set restrictive rights (nobody except admins can change rights). As for file change i'd use the shadow copies that can be run very often (but i wouldn't run them more than every 1 hour). This way you can easily restore to previous version even if you don't know who modified the file.

That doesn't really answer to your problem, but if there are more than 100 users accessing to more 200GB of excel/word files, you security eventlog will need to be at least a 500MB if you want to have at least a day of audit.

[zeezam]

The way Microsoft designed the ntfs audit, it logs way too much uneeded informations and it takes way too much time to find what happened this way. First i'd set restrictive rights (nobody except admins can change rights). As for file change i'd use the shadow copies that can be run very often (but i wouldn't run them more than every 1 hour). This way you can easily restore to previous version even if you don't know who modified the file.

That doesn't really answer to your problem, but if there are more than 100 users accessing to more 200GB of excel/word files, you security eventlog will need to be at least a 500MB if you want to have at least a day of audit.

I see your point and I agree.

Shadow copy demand extra disk space on the same disk?

[allen2]

Yes but with 2003 R2 you can also store shadow copies on another drive.