How to Audit Failed Access Attempts to a Shared Folder

With Native AD Auditing
With ADAudit Plus

One-click reports to track failed attempts to access shared folder with ADAudit Plus

ADAudit Plus offers reports that pull up failed attempts made to your files/folders with complete details in a single click. These reports can be exported in any format such as CSV, PDF, XML etc. Real-time alerts can be sent to your e-mail or phone so that you can be notified when changes are made to a critical file or folder. Here is how you can access these reports:

Launch ADAudit Plus and log in → Go to the File Audit tab → Under File Audit Reports → the following reports present failed attempts made on shared folders:

1. Failed attempt to read file
2. Failed attempt to write file
3. Failed attempt to delete file
These reports contain the following details:
1. Name of the file
2. Name of the user whose request had failed
3. Time at which handle request was made
4. Name of the server in which the file is located
To categorize failed access attempts based on shares, go to the Share Based Reports tab, and select the Failed attempts to Read File report. Select the share that you want to track changes on. The details of all changes made on this share is shown, similar to the above report.

Step 1: Enable "Audit object access" policy
Launch the Group Policy Management console (Run --> gpedit.msc)
Create a new GPO and link it to the domain containing the file server or edit the existing GPO that is linked to the relevant domain.
Navigate to Computer Configuration -> Windows Settings -> Security Settings ->Local Policies -> Audit Policy.
Under Audit Policy, select 'Audit object access' and turn auditing on for both success and failure.
Step 2: Edit auditing entry in the respective file/folder

Locate the file or folder for which you wish to track the failed access attempts. Right click on it and go to Properties. Under the Security tab click Advanced.
In Advanced Security Settings, go to the Auditing tab and click Add to add a new auditing entry.
In the Auditing Entry for Active Directory dialog box, enter the following details:
1. Principal: Enter the names of the users you want to audit when they access this file/folder.
2. Type: Select the type of access you want to audit. It is preferable to audit "All" changes.
3. Applies to:Select whether you want to audit access only on this file, or on all sub folders and files.
4. Basic permissions: Choose the types of permissions you want to audit. For your specific need, click 'Advanced permissions', and select 'Traverse Folder/Execute File', 'List Folder/Read data', 'Read attributes', and 'Read extended attributes' permissions.
Step 3: View audit logs in Event Viewer

Every time a user accesses the selected file/folder, and the attempt fails, an event log will be recorded in the Event Viewer. To view this audit log, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below.
To filter the event logs to view just the logs about the file/folder permission changes, select Filter Current Log from the right pane. Simply search for the event ID 4656 and 4663 which indicate file/folder permission changes. You can see who accessed the file in “Account Name” field and access time in “Logged” field.