Forum Discussion
File System auditing - Event ID 4663 not logging
I hope someone can help with this issue. I have a requirement to configure file system logging on my windows file server and I have setup the security policy to track file system object access but I am not getting Event ID 4663 (An attempt was made to access an object). These are the steps I took to get to where I am.
I set the security policy
---- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
---- Enabled Audit Object Access with both Success and Failure
---- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policy -> Object Access
---- Enabled Audit File Share with both Success and Failure
---- Enabled Audit File System with both Success and Failure
---- Enabled Audit Handle Manipulation with both Success and Failure
1 Reply
It sounds like you’ve done all the right policy settings, but often the missing piece is setting the auditing on the specific folder or file itself.
Just enabling audit policies in Group Policy isn’t enough — you also need to configure the SACL (System Access Control List) on the folders you want to monitor.Try this:
Right-click the folder you want to audit, go to Properties → Security → Advanced → Auditing tab.
Add the users or groups you want to audit (or Everyone to test).
Select what access types to audit (like Read, Write, Delete).
Apply and OK.
After that, any matching access should trigger Event ID 4663 in the Security logs.
If you’ve already done this, it might be worth running gpresult /h report.html to make sure the policy is actually applying to the server.
