How to detect who changed file permissions with DataSecurity Plus

Start your free trial

Why should you find out who changed file permissions?

  • To monitor if a user is escalating their privileges to access sensitive or restricted files.
  • To make sure only the appropriate users and groups are given access to sensitive files.
  • To ensure that the bare minimum permissions assigned to a user closely align with their role in the organization.
  • DataSecurity Plus
  • Windows Native Auditing

Steps to configure DataSecurity Plus to track file permission changes

  1. Download and install DataSecurity Plus.
  2. Open the DataSecurity Plus console.
  3. Navigate to Admin Console > Admin > Administrative Settings >Domain Settings, and click + Add Domain in the top-right corner to add a new domain.
  4. Provide the Domain Name along with its username and password. Add the required domain controllers and click Save.
  1. To add file servers, navigate to File Audit → Configuration, and click the + Add Server button located in the top-right corner.
  2. Select your domain and add the servers you want to audit.
  3. Choose the files and folders to be audited from Select Objects to Monitor.
  4. Click Install Agent and Finish. The agent is now installed on the selected servers. 

Steps to view who changed file permissions

  1. Go to the File Audit tab.
  2. Navigate to Access Audit > Audit Reports > Security Permission Changes.
  3. Select the Server Name and Periods to display the report.
  4. Click Filter in the top-right corner of the report window, and enter the file name you want to monitor. Click Apply. (For this example, we'll name the file Employee_Data.)

You can also create custom reports to see permission changes for a particular user, file, and more.

Steps to send instant alerts when file permission is changed

  1. Go to the File Audit tab.
  2. Navigate to Configuration → General Settings → Alert Configuration.
  3. Click the + Add Global Alert or +Add Server Alert button located in the top-right corner based on your objective.
  1. Provide a suitable name and description for the alert.
  2. Choose a Severity from the drop-down menu.
  3. You can define a Threshold Limit to send alerts based on the number of permission change events that can occur within a specific time.
Note: If Threshold Limit is not mentioned, then an alert email is sent for every monitored event that occurs in the file.
  1. Within Criteria > Response, click the Enable email notification check box to receive email alerts.
  2. Provide the required email address, Priority, Subject, and Message. To add arguments to the subject or message, click Add and choose the argument from the drop-down menu.
  3. Click Save.
  1. You can include or exclude trusted entities in the Criteria menu.
    Example: To monitor who changed the permissions of a file, enter the following details under Include:
    • User Object: All
    • Action: Permission Change
    • Monitor Type: Files and Folders
  2. Click Save.

An Alert Profile has been created to send an email whenever a user changes the permissions of the 'Employee Data' file.

The email alert is sent as shown below:

Steps to set an audit policy

  1. Launch the Group Policy Management console through either of these methods:
    • Navigate to Server Manager → Tools → Group Policy Management Console,
    • or

    • Press Win+R and in the Run dialog box that appears, type gpmc.msc and click OK.
  2. The Group Policy Management Console window opens. A new Group Policy Object (GPO) can be created, or an existing one can be modified.
  3. If you want to add the Group Policy to an existing GPO, go to step 6.
  1. To create a new GPO, right-click the domain, site, or OU where you want to apply the policy, and click Create a new GPO in this domain and Link it here.
  2. Enter a name for the GPO in the New GPO dialog box, and click OK.
  1. Now right-click on that GPO and choose Edit.
  2. In the Group Policy Management Editor, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy.
  1. From the list of audit policies, double-click Audit object access to open its Properties.
  2. Select the Define these policy settings check box, then choose both Success and Failure to audit all the changes made on the object.
  3. Click Apply and then OK to close the window.
  1. The GPO will be automatically updated. To update it manually, open the Command Prompt, type gpupdate, and press Enter. Now the GPO is updated.

Steps to set the auditing properties for the required file

  1. Right-click the file you want to audit and choose Properties.
  2. Go to the Security tab and click Advanced to open the Advanced Security Settings window.
  1. Go to the Auditing tab and click Add to create a new audit entry. The Auditing Entry window appears.
  2. Click Select a Principal, and the Select User, Computer, Service Account, or Group dialog box will appear. 
  3. Provide Everyone as the object name and click Check Names.
  1. Click OK to close the dialog box.
  2. Choose the type of action you want to audit from the drop-down. If you want to audit all successful and failed events, choose All.
  3. This folder, sub folder and files is selected by default in the Applies To field.
  4. Under the Permissions section, go to Advanced permissions. Select Change permissions and Take ownership. Click OK.
  5. The new entry is now added. Click Apply and OK to close the window.
  6. Click OK in the Properties window.

Steps to view who has changed file permission using Event Viewer

  1. Open the Event Viewer.
  2. Navigate to Windows logs → Security.
  1. Click the Filter Current Log option in the right pane to bring up the Filter Current Log window.
  2. Under the Task category option, enter the event ID for which you want to view logs. When a file's permission is changed, the event ID 4670 is logged. Enter this event ID and click OK.
  1. The file permission change log is now displayed.
  2. To search for a particular file, click Find... in the right pane.
  3. Provide the file name and click Find Next.
  4. Double-click the highlighted log to view the details.

You can now view who changed the permissions of a file using native auditing.

Why is native auditing not preferred?

  • The amount of logs increases rapidly, so they must be archived or cleared frequently.
  • It doesn't offer centralized file auditing capabilities across multiple file server environments.
  • The logs contain excessive noise, making it time-consuming to obtain important data from them.
  • It doesn't offer built-in report generating capabilities to meet compliance requirements.

While native auditing records all events, it doesn't offer much help when it comes to retrieving the required information or proving adherence to compliance standards. 
DataSecurity Plus overcomes these limitations and provides a comprehensive file auditing solution that can be configured and installed within minutes.


Ensure data security and integrity with the help of ManageEngine DataSecurity Plus.

Email Download Link