File Server Create Folder / File Auditing

[Max Coder]

I set Audit File Access to Success, Failure.

I checked the CREATE, DELETE, WRITE attributes under auditing in the relevant folder.

- If I delete a folder or file, I see it successfully under EVENT ID 4663 as
ACCESSES: DELETE.

But if I create a folder, there is a log like the one below. Is this normal?

Accesses:        ReadAttributes   ?


An attempt was made to access an object.

Subject:
Security ID: CS\admin
Account Name: admin
Account Domain: CS
Logon ID: 0xD62F0EC0

Object:
Object Server: Security
Object Type: File
Object Name: D:\IT\New folder
Handle ID: 0x2a84
Resource Attributes: S:AI

Process Information:
Process ID: 0x12fc
Process Name: C:\Windows\explorer.exe

Access Request Information:
Accesses: ReadAttributes

Access Mask: 0x80



2 - But if I create a file inside the folder, it appears as follows.

Accesses: WriteData (or AddFile)


An attempt was made to access an object.

Subject:
Security ID: CS\admin
Account Name: admin
Account Domain: CS
Logon ID: 0xD62F0EC0

Object:
Object Server: Security
Object Type: File
Object Name: D:\IT\New folder\New Text Document.txt
Handle ID: 0x974
Resource Attributes: S:AI

Process Information:
Process ID: 0x12fc
Process Name: C:\Windows\explorer.exe

Access Request Information:
Accesses: WriteData (or AddFile)

Access Mask: 0x2

[Wright, John M]

Just out of curiosity, if you create a file at D:\IT and a folder under D:\IT\New Folder, what do you audit entries look like?

 

I’m thinking this might have something to do with inheritance from the folder the auditing is set for; i.e. you might have to set the auditing for the root of the drive to get what you want.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Max Coder
Sent: Tuesday, November 4, 2025 1:34 PM
To: ntsysadmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] File Server Create Folder / File Auditing

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/1ce53e9c-ffcb-4020-94da-7047450e147an%40googlegroups.com.