How to monitor changes to files and folder permissions?

Admins must monitor file/folder access permissions to ensure that rogue users don't tamper with critical data,
and don't make any unauthorized changes to the permissions.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

Simplified permission change monitoring with ADAudit Plus

With ADAudit Plus' simple, easy to read reports, a single click is all it takes to pull up complete details of who changed the file/folder permissions, when and from which machine. The exact value of the permission changed is also listed. These reports can be exported and also scheduled to be automatically generated, at the specified times, and delivered to your inbox. You can also configure alerts to notify you when permissions of critical files/folders are changed. This way you can take action immediately.

Login to ADAudit Plus → Go to File Audit tab → Under File Audit Reports → navigate to Folder Permission Changes report.

  • folder permission report The details you can find in this report include:
    1. File/Folder name and its location in the server.
    2. Name of the user who modified the permission
    3. Values of new and old ACL
    4. Permissions modified
    5. Server in which the file/folder is located
    6. Time at which the permission was changed
    To understand what exactly was changed in the file/folder's ACL, click the More link in the Permission Modified field. permission changes report The new and old values of your ACL are also provided in detail.

    Old ACL:

    old acl

    New ACL:

    new acl Note that in this example, Mark Lloyd has been given full control during this permission change. With these details you can investigate further if you think the permission change seems malicious. In case you want to filter the permissions changed based on the server in which the files/folders reside, simply switch to Server Based Reports and navigate to Folder Permissions Changed report. A similar report is displayed, filtered based on the server you choose. To view the permission changes made by a specific user, go to the User Based Reports and select the Folder Permissions Changed report.

Native auditing

With native auditing, here is how you can monitor changes to files and folder permissions:

  • Step 1: Enable Audit Object Access policy:

    Open Local Security Policy. Go to Security Settings and select Local Policies.

  • Under Audit Policy, select 'Audit object access' and turn auditing on for both success and failure.

  • Step 2: Edit auditing entry in the respective file/folder

    Locate the file or folder whose permission changes you wish to track. Right click on it and go to Properties. In the Security tab, click the Advanced button.

  • In Advanced Security Settings for Active Directory window, go to Auditing tab, and click the Add button to add a new auditing entry.

  • In the Auditing Entry for Active Directory dialog box, enter the following details:

    1. Principal: Enter the names of the users whose access you wish to audit.
    2. Type: Select the type of access you want to audit. It is preferable to audit "All" changes.
    3. Applies to: Select whether you want to audit permission changes only on this file, or on all sub folders and files.
    4. Basic permissions: Choose the types of permissions you want to audit. For your specific need, click 'Advanced permissions', and select 'Change permissions'.
  • Step 3: View audit logs in Event Viewer

    Every time a user accesses the selected file/folder, and changes the permission on it, an event log will be recorded in the Event Viewer. To view this audit log, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below.

  • To filter the event logs to view just the logs about the file/folder permission changes, select Filter Current Log from the right pane. Simply search for the event ID 4670 which indicates file/folder permission changes.

  • The middle pane now shows all the permission changes made to files/folders. Click on any one of them and view its properties.

  • For more information on the exact permission that was changed, you can examine the old and new security descriptor.

Native auditing becoming a little too much?

Simplify file server auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support

Thanks

One of our solution experts will get in touch with you shortly.

    Please enter business email address
  •  
     
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.