How to monitor file and folder access on a Windows file server?

Admins need to keep tabs on who accesses the files/folders on their file servers, for data security and compliance. Keeping track of who accesses your files will also help you when you investigate a data breach.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

Comprehensive reports to track file/folder access with ADAudit Plus

ADAudit Plus is an IT security and compliance solution that provides real-time reports to consolidate all attempts to access files or folders in your file servers. You can configure these reports to be automatically generated and emailed to you at specified intervals. You can also export these reports to a format of your choice. Here is how you can access these reports using ADAudit Plus:

Login to ADAudit Plus → Go to File Audit tab → Under File Audit Reports → navigate to File read access report.

  • file access report
    • The details you can obtain from this report are:
      1. Which file was accessed
      2. Who accessed the file
      3. When the file was accessed
      4. Which client machine the file was accessed from
      5. Name of the server in which the file is located
    You can also pull up the failed attempts to read, write or delete a file. The reports contain the following details:
    1. Name of the file
    2. Name of the user whose request had failed
    3. Time at which handle request was made
    4. Name of the server in which the file is located
    With a record of all attempts made to access a file (including the failed ones), investigations in case of a data breach becomes much easier. You can track down all the users who accessed a file in order to rule out possible suspects. It can also help in identifying the client machine from which failed attempts were made, thus hinting at a compromised system. Additionally, in case of attempts to access critical files or folders, real-time alerts will be sent straight to your phone or email.

Native method

With native auditing, here is how you can monitor file and folder access on a Windows file server:

  • Step 1: Enable 'Audit object access' policy
  • Launch the Group Policy Management console (Run --> gpedit.msc)

  • Create a new GPO and link it to the domain containing the file server or edit the existing GPO that is linked to the relevant domain.

  • Navigate to Computer Configuration -> Windows Settings -> Security Settings ->Local Policies -> Audit Policy.

  • Under Audit Policy, select 'Audit object access' and turn auditing on for both success and failure.

  • Step 2: Edit auditing entry in the respective file/folder

    Locate the file or folder for which you wish to track all the accesses. Right click on it and go to Properties. Under the Security tab click Advanced.

  • In Advanced Security Settings, go to the Auditing tab and click Add to add a new auditing entry.

  • In the Auditing Entry for Active Directory dialog box, enter the following details:

    1. Principal: Enter the names of the users whose access you wish to audit.
    2. Type: Select the type of access you want to audit. It is preferable to audit "All" changes.
    3. Applies to: Select here whether you want to audit access only on this file, or on all sub folders and files.
    4. Basic permissions: Choose the types of permissions you want to audit. Cick 'Advanced permissions' and choose to audit 'Traverse Folder/Execute File', 'List Folder/Read data', 'Read attributes', and 'Read extended attributes' permissions.
  • Step 3: View audit logs in Event Viewer

    Every time a user accesses the selected file/folder, and changes the permission on it, an event log will be recorded in the Event Viewer. To view this audit log, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below.

  • To filter the event logs to view just the logs about the file/folder permission changes, select Filter Current Log from the right pane. Simply search for the event ID 4656 and 4663 which indicates that a file/folder was opened. You can see who accessed the file in “Account Name” field and access time in “Logged” field.

Native auditing becoming a little too much?

Simplify file server auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support

Thanks

One of our solution experts will get in touch with you shortly.

    Please enter business email address
  •  
     
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.