Access Denied: Audit Control List Editing Rights for a Win2K Object

Is the owner of a Windows 2000 object's audit control list the only one who can edit it? If not, is there a permission that lets me delegate this ability?

You can't delegate the ability to edit the audit settings on an object as you can delegate other types of access (e.g., Read, Modify, Full Control). Win2K controls who can change audit settings on objects through the Manage auditing and security log right. To view or edit the audit control list for an object such as a file in Windows Explorer or an organizational unit (OU) in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the object, select Properties, click the Security tab, then click Advanced. If you have the Manage auditing and security log right on the computer on which the object resides, you'll find the Auditing tab that Figure 6 shows. The Manage auditing and security log right not only governs who can configure auditing for all the objects on the system but also lets you view and clear the Security log.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.