SharePoint makes it easy to delegate administrative roles to other users, but you need a way to account for your delegate’s activities. One way of keeping tabs on your delegates is to monitor policy modifications. Although SharePoint doesn’t give you a great deal of granularity, you can view a summary of recent administrative actions that led to a policy modification. It’s an easy process that can yield big results.
Before you begin auditing policy modifications or generating reports, you have to configure SharePoint to log site statistics. Begin the process by opening the Central Administration console and clicking on the Operations link. Next, go to the Logging and Reporting section and click on the Usage Analysis Processing link. At this point, you must select the Enable Logging check box and the Enable Usage Analysis Processing check box, and click OK.
Enabling Portal Usage Reporting
After logging is enabled, portal usage reporting is next. Start by going to the quick launch bar located on the left side of the Central Administration console and clicking on the Shared Services Provider that is listed in the Shared Services Administration section. You will now be taken to the home page for the Shared Services Provider. Go to the Portal Usage Reporting section and click on the Usage Reporting link. Windows will now display the Configure Advanced Usage Analysis Processing page. Go to the Processing Settings section and click the Enable Advanced Usage Analysis Processing check box and the Enable Search Query Logging check box. Click OK when you are done.
The next step is to activate pool usage reporting. Before that, though, you need to reset IIS. To do so, just enter the IISRESET command at the server’s Run prompt. Once the IIS reset is completed activate the reporting feature for your site collections. To do that, switch to your SharePoint site and then go to the Site Settings page. From there, click on the Site Collection Features link, located in the Site Collection Administration column. When the Site Collection Features page appears, click the Activate button next to the Reporting feature.
Creating a Site Collection Policy
After activating the reporting feature, you can get down to business and create a site collection policy. Begin by going to the Site Settings page and clicking the Site Collection Policies link, located in the Site Collection Administration section. When Windows displays the Site Collection Policies page, click the Create button. You will be taken to the Edit Policy screen, where you can begin creating your site collection policy.
Start the process by entering a name and a description for the policy. Now, select the Auditing check box. Upon doing so, Windows will display several check boxes beneath the Enable Auditing check box that you can use to control the types of auditing that will be used. Go ahead and select all of select all the necessary check boxes and click OK.
The next step is to apply the policy that you have just created. For the sake of demonstration, we will apply the policy to a document library. To get started, go to your document library and select the Document Library Settings command from the Settings menu. Windows will display the Customize Documents page. Now, locate the Permissions and Management section and click on the Information Management Policy Settings link.
Next, you must click on your content type link—usually Document—and you will be taken to the Information Management Policy Settings page. Choose the Use Site Collection Policy option, and then select the policy that you created earlier. Click OK to complete the process.
Viewing your audit reports
You have now performed all of the necessary configuration work, and it’s time to view the auditing reports that you created. Go to SharePoint’s All Site Settings page and click on the Audit Log Reports link, which is located in the Site Collection Administration column. When you do, you will be taken to the View Auditing Reports page.
You will notice that there are numerous audit reporting options and that you also have the ability to create your own custom audit reports. If you are interested in viewing policy changes put in place by delegates, then click on the Policy Modifications link located in the Information Management Policy Reports section.
If any policy modifications have occurred, they will be presented in an Excel spreadsheet. Otherwise, you will see a message telling you that the report contains no data. As you can see, the policy modification report isn’t very granular. It gives you a summary of the changes that have been made, but it doesn’t tell you who made the changes. Adding more information can be done only by creating a custom report. You will notice, though, that the report does tell you what type of event has occurred and which library the event occurred within. Given this information, it shouldn’t be too hard to keep tabs on any suspicious SharePoint behavior.
About the Author
Brien M. Posey has received Microsoft’s Most Valuable Professional award six times for his work with Windows Server, IIS, file systems/storage and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities and was once a network administrator for Fort Knox.