🟡 Medium   ⏱ 5–30 min  Last verified: 02 April 2027
Affected versions: Windows Server 2012 R2

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Audit SACLs are configured on files and folders on Windows Server 2012 R2 but no 4663 file access events are written, causing audit gaps for compliance reporting.

Environment & Reproduction

Reproducible by reading the file as a tracked user and checking the Security log.

auditpol /get /subcategory:'File System'
Get-Acl 'D:DataSensitive' -Audit

Root Cause Analysis

Object access auditing is not enabled at the subcategory level, or Force audit policy subcategory settings is off.

Quick Triage

Inspect audit policy.

auditpol /get /category:'Object Access'
Get-ItemProperty 'HKLM:SYSTEMCurrentControlSetControlLsa' -Name SCENoApplyLegacyAuditPolicy

Step-by-Step Diagnosis

Validate SACL is set and inheritable.

Get-Acl 'D:DataSensitive' -Audit | Select -ExpandProperty Audit
icacls 'D:DataSensitive' /findsid 'CORPAuditors'
Illustrative mockup for windows-server-2012-r2 — event_or_log_viewer
auditpol settings output — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Enable Object Access auditing and force subcategory settings.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

auditpol /set /subcategory:'File System' /success:enable /failure:enable
Set-ItemProperty 'HKLM:SYSTEMCurrentControlSetControlLsa' -Name SCENoApplyLegacyAuditPolicy -Value 1
gpupdate /force
Illustrative mockup for windows-server-2012-r2 — terminal_or_powershell
Empty Security log filter — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Deploy via Advanced Audit Policy GPO across the fleet.

# gpedit.msc -> Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > File System
gpupdate /force

Verification & Acceptance Criteria

4663 events appear in the Security log when SACL-tracked actions occur.

Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4663)]]" -MaxEvents 10

Rollback Plan

Disable subcategory auditing if event volume is overwhelming.

auditpol /set /subcategory:'File System' /success:disable /failure:disable

Prevention & Hardening

Combine with central event forwarding, alert on audit policy changes (4719), and review SACL coverage.

Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4719)]]" -MaxEvents 20

Linked with audit log overflow and Security log retention strategy.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Advanced security audit policy and SACLs.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.