I
iggygatton
We are having issues with our Security event log within Event Viewer. It is my understanding when you perform Object Access auditing and enable it within Group Policy, you still need to enable auditing on the Objects (to be audited) themselves. We just enabled Object Access auditing and are already seeing Handle Manipulation events (i.e. event id 4656) flooding our Security log even though we have not configured auditing at the file level for ANY of the files in question. A lot of forums mention disabling Audit File System and Audit Handle Manipulation events to ensure the 4656 events do not flood the Security log; however, we want to be able to see these events for the files that we configure auditing for (at the file level), but not for any other files which were not configured for auditing at the file level. We do not have Global Object Access Auditing configured.
Continue reading...
Continue reading...