Garbage in, garbage out
Way better than this
At this point you want to start clicking and touching. It’s only human. Unless you are using a test computer, resist that urge.
If you start enabling anything in Advanced Audit policy, it will take effect immediately; even if you do not click Apply. Any pre-existing legacy audit policy will be overwritten and this new policy will start being used. If you enable a few things and then disable them, you will turn policy settings off – meaning that you are now auditing nothing. Undoing this is a pain in the neck, so don’t start touching audit policies until you are done testing and ready to roll out to production.
I’ll be writing more about effective auditing settings and dealing with all this in a follow up post very soon.
Effective audit settings are explained here
20110308 20:08:04.339 2788 USNC 2453 UsnConsumer::UpdateIdRecord ID record updated from USN_RECORD:
+ RecordLength: 104
+ MajorVersion: 2
+ MinorVersion: 0
+ FileRefNumber: 0xF00000000E19C
+ ParentFileRefNumber: 0x70000000038A3
+ USN: 0x85c658
+ TimeStamp: 20110308 20:08:04.339 Eastern Standard Time
+ Reason: Close Security Change
+ SourceInfo: 0x0
+ SecurityId: 0x0
+ FileAttributes: 0x20
+ FileNameLength: 44
+ FileNameOffset: 60
+ FileName: I am some user goo.rtf
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.