Monitor the central access policies associated with files and folders

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Object Access » Monitor the central access policies associated with files and folders

How to monitor changes to the central access policies that are associated with files and folders.

Objective: Monitor changes to the central access policies that are associated with files and folders.

This policy is applicable when you're using Advanced Security Auditing options to monitor dynamic access control objects. You can follow the steps in this article to monitor the central access policies after the Dynamic Access Control has been configured and deployed.

When Monitor the central access policies associated with files and folders audit policy is enabled it logs the events related to central access policy changes for files and folder. This helps an administrator monitor potential changes to selected files and folders on a file server.

The following procedures will help you configure the settings to monitor central access policies associated with files.

Step 1: Configure settings to monitor central access policies related to files or folders

  • After signing in to your domain controller, with appropriate credentials, go to Server Manager > Tools > Group Policy Management. Group Policy Management Console (GPMC) opens up.
  • Right-click the Group Policy Object from the console tree and then select Edit.
  • Double-click Computer Configuration > Security Settings > Advanced Audit Policy Configuration > Policy Change. Then, double-click Audit Authorization Policy Change.
  • Select the Configure the following audit events check box, select the Success check box and Failure check box. Select OK.

Step 2: Enable auditing for a file or folder

NOTE: To perform the following actions, you need to be a member of a local administrator's group on the computer holding the files or folders that you want to monitor.

  • Right-click the specific file or folder, select Properties > Security tab.
  • Select Advanced > Auditing tab, and then click Continue.
  • You may encounter a User Account Control dialog box at this step. If so, confirm that the action it informs you of is what you want, and click Yes.
  • Select Add, select Select a principal, type a user name or group name in the format XYZGroup\user1, and then click OK.
  • Configure the permissions that you want to audit, in the Auditing Entry for dialog box.
  • You can then click subsequent OKs four times in order to complete the configuration of the object's SACL.
  • Open a File Explorer window, and then select or create a file or folder to audit.
  • In an elevated command prompt paste this command: gpupdate /force and run it.

Step 3: Verify that changes to central access policies for selected files and folders are monitored

  • In the File Explorer window, select the file or folder that you had configured auditing policies for.
  • Right-click the file or folder, click Properties > Security tab > Advanced.
  • Click the Central Policy tab > Change and then select a different central access policy or select No Central Access Policy, and then click OK twice.
  • Make sure you choose a setting that is different than the original setting so you can verify that events are being logged.
  • In your Server Manager > Tools > select Event Viewer.
  • Expand Windows Logs > Security.
  • Event 4913, should be generated when a file or folder's central access policy is altered.

About ADAudit Plus

ADAudit Plus is a real time change auditing software that helps keep your Active Directory, Azure AD, Windows file servers, NetApp filers, EMC file systems, Synology file systems, Windows member servers, and workstations secure and compliant. With ADAudit Plus, you can get visibility into:

  • Authorized and unauthorized AD management changes
  • User logons, logoffs, and account lockouts
  • GPO changes
  • Group attribute and membership changes
  • OU changes
  • Privileged access and permission changes among other things.

There are more than 200 event-specific reports, and you can configure instant email alerts. You can also export the reports to XLS, HTML, PDF and CSV formats to assist in interpretation and forensics. For more information on ADAudit Plus, visit: https://www.manageengine.com/active-directory-audit/.

Explore Active Directory auditing and reporting with ADAudit Plus.

  •  
  •  
  •  
  • By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy.
Account Management Auditing
Active Directory Auditing
Windows Server Auditing