Hi, I have enabled a GPO With the following: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access -> Audit File System -Success on a file server.
After that, I have enabled successful Create files/Create Folders on a folder for the built-in group Everyone.
That part works fine, I can see when users are creating files on the folders. But I also get a lot of Extreme amounts of other events logged in the Security log, and everything is coming from the backup agent running on the server (NetBackup in this case).
How come that a backup agent is creating the events like this? It makes filtering much harder afterwards. The business requirements is to audit Everyone who is adding files to a specific folder, not all the rest of the server. The server is Win2008 R2.
Example:
An attempt was made to access an object. Subject: Security ID: SYSTEM Account Name: FILESERVER01$ Account Domain: MYDOMAIN Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: \Device\HarddiskVolumeShadowCopy58\Windows\winsxs\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.1.7601.18619_none_d4cab625fb3adf96\audiosrv.dll Handle ID: 0x3c4 Process Information: Process ID: 0x1048 Process Name: C:\Program Files\VERITAS\NetBackup\bin\bpbkar32.exe Access Request Information: Accesses: WriteAttributes