With Native AD Auditing
With ADAudit Plus
Simplified permission change monitoring with ADAudit Plus
With ADAudit Plus' simple, easy to read reports, a single click is all it takes to pull up complete details of who changed the file/folder permissions, when and from which machine. The exact value of the permission changed is also listed. These reports can be exported and also scheduled to be automatically generated, at the specified times, and delivered to your inbox. You can also configure alerts to notify you when permissions of critical files/folders are changed. This way you can take action immediately.
Login to ADAudit Plus → Go to File Audit tab → Under File Audit Reports → navigate to Folder Permission Changes report.
The details you can find in this report include:
- File/Folder name and its location in the server.
- Name of the user who modified the permission
- Values of new and old ACL
- Permissions modified
- Server in which the file/folder is located
- Time at which the permission was changed
New ACL:Note that in this example, Mark Lloyd has been given full control during this permission change. With these details you can investigate further if you think the permission change seems malicious. In case you want to filter the permissions changed based on the server in which the files/folders reside, simply switch to Server Based Reports and navigate to Folder Permissions Changed report. A similar report is displayed, filtered based on the server you choose. To view the permission changes made by a specific user, go to the User Based Reports and select the Folder Permissions Changed report.
With native auditing, here is how you can monitor changes to files and folder permissions:
Step 1: Enable Audit Object Access policy:
Open Local Security Policy. Go to Security Settings and select Local Policies.
Under Audit Policy, select 'Audit object access' and turn auditing on for both success and failure.
Step 2: Edit auditing entry in the respective file/folder
Locate the file or folder whose permission changes you wish to track. Right click on it and go to Properties. In the Security tab, click the Advanced button.
In Advanced Security Settings for Active Directory window, go to Auditing tab, and click the Add button to add a new auditing entry.
In the Auditing Entry for Active Directory dialog box, enter the following details:
- Principal: Enter the names of the users whose access you wish to audit.
- Type: Select the type of access you want to audit. It is preferable to audit "All" changes.
- Applies to: Select whether you want to audit permission changes only on this file, or on all sub folders and files.
- Basic permissions: Choose the types of permissions you want to audit. For your specific need, click 'Advanced permissions', and select 'Change permissions'.
Step 3: View audit logs in Event Viewer
Every time a user accesses the selected file/folder, and changes the permission on it, an event log will be recorded in the Event Viewer. To view this audit log, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below.
To filter the event logs to view just the logs about the file/folder permission changes, select Filter Current Log from the right pane. Simply search for the event ID 4670 which indicates file/folder permission changes.
The middle pane now shows all the permission changes made to files/folders. Click on any one of them and view its properties.
For more information on the exact permission that was changed, you can examine the old and new security descriptor.
Native auditing becoming a little too much?
Simplify file server auditing and reporting with ADAudit Plus.Get Your Free Trial Fully functional 30-day trial