Access Denied Event ID

[howler]

I need to monitor if users are constantly trying to access folders they do not have permission to

I am assuming that an event is written to the event log of the server everytime that the user is denied access

Anyone know what the event ID is? Will it be in the security event log as a failure audit?

 

[mr.bond]

You'll need to enable auditing on the server, then configure the directories you want to audit.

This article should help you along.
http://articles.techrepublic.com.com/5100-10878_11-5034308.html

 

[DustyMiller]

Off the top of my head, Event ID 540 & 560 will show the access denied,and what to.

but good luck trawling through your security logs. We have a product from GFI called Event Monitor, and even with that it's a nightmare.

 

[howler]

Yeah I wasn't planning on trauling through them manually, that would be awful

 

[sidethink]

Use something like this:

http://windowsitpro.com/article/articleid/27132/eventcomb-its-free-its-essential-get-it.html

to trawl the Event Logs. Its not too bad and free!

 

[Banzai_Joe]

howler, its a hell of a task once you start. Even if you have a report sent to your mailbox it takes ages to trawl through it.
And to be honest i cancelled it cos it served no purpose. Users will always click on a folder whether they have permission or not. But it won't prove they're guilty of suspicious behaviour, they're just dumb
Its just an extra overhead you could probably do without.
I enable Access Enumeration so that users can only see what they have permission to access.
I know it seems like you want to do check up on them but you won't truly know WHY they tried to access such a file/folder, it would be a guess, and having tried it, it truly didn't serve a purpose and the logs were ginormous, so we binned the idea.

edit: if you don't plan on trawling through the logs, what the point in doing it?