How to track who changed a file or a folder in Windows?

Naive Method

Step 1: Enable 'Audit object access' policy

• Launch the Group Policy Management console (Run --> gpedit.msc)
• Create a new GPO and link it to the domain containing the file server or edit the existing GPO that is linked to the relevant domain.
• Navigate to Computer Configuration -> Windows Settings -> Security Settings ->Local Policies -> Audit Policy.
• Under Audit Policy, select 'Audit object access' and turn auditing on for both success and failure.
  

Step 2: Edit auditing entry in the respective file/folder

• Locate the file or folder for which you wish to track all the accesses. Right click on it and go to Properties. Under the Security tab click Advanced.
• In Advanced Security Settings, go to the Auditin tab and click Add to add a new auditing entry.
  
  

In the Auditing Entry for Active Directory dialog box, enter the following details:

• Principal: Enter the names of the users whose access you wish to audit.
• Type: Select the type of access you want to audit. It is preferable to audit "All" changes.
• Applies to: Select whether you want to audit permission changes only on this file, or on all sub folders and files.
• Basic permissions: Choose the types of permissions you want to audit. For your specific need, click 'Advanced permissions', and select 'Traverse folder / execute file', 'List folder / read data', 'Create files /write data', 'Create folders / append data', 'Write attribute'.

Step 3: View audit logs in Event Viewer

• Every time a user accesses the selected file/folder, and changes the permission on it, an event log will be recorded in the Event Viewer. To view this audit log, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below.
  
• Search the Security Windows Logs for the event ID 4656 with the Audit Failed keyword to find out who tried changing a file or folder.