Enable Auditing on Windows Folders/Files

Enable Auditing on Windows Folders/Files

Audit all access to folders and/or files on a server or workstation.

Log onto the server/workstation that you wish to enable auditing on.

Open Local Group Policy Editor.

CTRL + R

gpedit.msc

Browse to the following location: – Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

Double click ‘Audit object access’

Select Success and Failure

Click Apply then OK

Exit Local Group Policy Editor

 

Navigate to the folder/file you wish to track permission changes.

Right click the folder/file then select Properties.

Select the Security tab then select Advanced

Select the Auditing tab then select Continue (if prompted)

Click Add

Click Select a principal

Type ‘everyone’ then select Check Names. – Click OK

Set the Type: to All

Untick the default auditing permissions and only select ‘Change permissions’ – Click OK

Click OK Twice more.

Open up cmd or powershell as ADMIN

Execute the command: gpupdate /force

Auditing is now implemented on the specific folders/files.

 

To check audit logs open Event Viewer.

Select the Security Logs

Filter the logs based on Event ID 4670