How to Set Up File Auditing on Cluster Disk (196655)


The information in this article applies to:

  • Microsoft Windows NT Server, Enterprise Edition 4.0
  • Microsoft Cluster Server
This article was previously published under Q196655

SUMMARY

When using Microsoft Cluster Server version 1.0, NTFS file/directory auditing on a shared disk resource will stop recording file system access after the disk resource is failed over to the other node. If the disk resource fails back to the original node where auditing was configured, it logs information correctly.

MORE INFORMATION

Auditing NTFS files and directories is set up both at the system level and the file system level. The configuration set in Explorer resides on the volume in question, but the system level configuration set in User Manager is stored in the local system registry and is not replicated between the Cluster nodes.

To turn this feature on, follow these steps:

  1. Go to each node in the cluster and run User Manager.
  2. On the Policies menu, select Audit.
  3. Click to select Audit These Events and then click to select one or both of the Success and Failure check boxes for File and Object Access.
Audit settings remain and are viewable from Explorer.exe, from either node, providing that the node doing the viewing owns the drive and has it mounted (online).

For additional information on auditing, please see the following article in the Microsoft Knowledge Base:

157238 How to Activate Security Event Logging in Windows NT 4.0

Modification Type:MinorLast Reviewed:1/5/2006
Keywords:kbhowto kbinfo KB196655
©2004 Microsoft Corporation. All rights reserved.