Phone Get Quote
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892


How to track changes in shared folder on file server?

Tracking changes made to shared files/folders helps ensure data security and meet the requirements of compliance mandates. Recording unwarranted changes proves to be useful during data breach investigations. By keeping tabs on who changed what in your file servers, insider threats can be prevented too. Here is how you can track who changed a shared file or folder in your file servers using native methods.

Download for FREE
Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

Complete change monitoring on files/folders with ADAudit Plus:

ADAudit Plus offers reports that pull up changes made to your files/folders with complete details in a single click. These reports can be exported in any format such as CSV, PDF, XML etc. Real-time alerts can be sent to your e-mail or phone so that you can be notified when changes are made to a critical file or folder. Here is how you can access these reports:

Login to ADAudit Plus → Go to File Audit tab → Under File Audit Reports → navigate to All File/Folder Changes report. Select the time period for which you want to track the changes made and the domain that the file server belongs to.

  • file and folder changes report
    • The details you will find in this report are:

      1. Name of the file/folder changed
      2. Who made the changes
      3. When the change was made
      4. Location of the file/folder
    You can filter the graph based on the change type. For example, if you want to see the files that were deleted, simply pick them out from the graph, and all logs corresponding to file deletion will be displayed. To categorize changes based on shares, go to the Share Based Reports tab, and select 'All file/folder changes by share'. Select the share for which you wish to track the changes. The details of all changes made on this share is shown, similar to the above report. file share based report

Native method

  • Step 1: Enable 'Audit object access' policy
  • Launch the Group Policy Management console (Run --> gpedit.msc)

  • Create a new GPO and link it to the domain containing the file server or edit the existing GPO that is linked to the relevant domain.

  • Navigate to Computer Configuration -> Windows Settings -> Security Settings ->Local Policies -> Audit Policy.

  • Under Audit Policy, select 'Audit object access' and turn auditing on for both success and failure.

  • Navigate to Advanced Audit Policy Configurationb -> Audit Policies -> Object access. Turn on auditing for Audit file system and Audit handle manipulation.

  • Step 2: Edit auditing entry in the respective file/folder

    Locate the file or folder for which you wish to track all the accesses. Right click on it and go to Properties. Under the Security tab click Advanced.

  • In Advanced Security Settings, go to the Auditing tab and click Add to add a new auditing entry.

  • In the Auditing Entry for Active Directory dialog box, enter the following details:

    1. Principal: Enter the names of the users whose changes you wish to audit.
    2. Type: Select the type of changes you want to audit. It is preferable to audit "All" changes.
    3. Applies to: Select here whether you want to audit access only on this file, or on all sub folders and files.
    4. Basic permissions: Choose the types of permissions you want to audit. Click 'Advanced permissions' and choose to audit 'Traverse folder / execute file', 'List folder / read data', 'Create files /write data', 'Create folders / append data', 'Write attribute'.
  • Step 3: View audit logs in Event Viewer

    Every time a user accesses the selected file/folder, and makes changes on it, an event log will be recorded in the Event Viewer. To view this audit log, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below.

  • Search the Security Windows Logs for the event ID 4656 with the "Audit Failed" keyword to find out who tried changing a file or folder.


Native auditing becoming a little too much?

Simplify file server auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Request 1-on-1 demo

  • -Select-
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.


One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By