Windows OS Hub
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux

 Windows OS Hub / Group Policies / How to Detect Who Changed the File/Folder NTFS Permissions on Windows

March 11, 2024

How to Detect Who Changed the File/Folder NTFS Permissions on Windows

In some cases, the administrator needs to find out which process (program) or user has changed the NTFS permissions on a specific folder or file on a Windows file server. This article shows how to track NTFS permissions changes made to file system objects using audit policy, PowerShell scripts, and the ProcMon tool.

You need to configure an audit policy to track changes to NTFS permissions on Windows file system objects.

  1. Open the Group Policy Editor. If you want to configure the audit file system audit policy on a particular server, open the Local Group Policy Editor console (gpedit.msc). If you want to enable auditing on multiple devices in a domain (for example, all file servers), you need to create a separate GPO using the Group Policy Management console (gpmc.msc);
  2. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access;
  3. Enable the option Audit File System and select Success; Enable audit file system policy on Windows
  4. Now you need to enable auditing in the properties of the directory in which you want to track permission changes. Open the folder properties -> go to Security tab -> Advanced -> Auditing tab -> Continue -> click Add and add a group (select a principal) whose activities you want to track. We have specified Everyone here;
    Previously, we showed you how to use file system auditing to find the user who deleted a file or folder on a Windows file server.
  5. Select Type=Success and enable the Change Permissions and Take Ownership options in Advanced Permissions: Enable shared folder audit: change permissions
  6. Don’t forget to update the Group Policy settings on the host: gpupdate /force

Now, if someone has changed NTFS permissions on items in the specified folder, an event with event ID 4670 will appear in the Security log.

Open the Event Viewer console (eventvwr.msc) -> Windows Logs -> Security. Filter the event list by the EventID 4670 (Permissions on an object were changed) and open the latest event.

You will see the name of the user who changed the permission (Account Name:) and the process name ( C:\Windows\explorer.exe ) in the event description. It also contains information about the previous ACL (Original Security Descriptor) and the new permission list (New Security Descriptor).

EventID 4670 - get user who changed folder NTFS permissions

If you want to store more events in the Security log (over a longer time interval), you will need to increase the size of the Event Viewer log.

Please note that permissions are in DACL format and are difficult to understand. Fortunately, you can use the built-in PowerShell cmdlet ConvertFrom-SddlString to convert a Security Descriptor Definition Language string into a PSCustomObject.

To see which access groups have been changed in the object’s NTFS permissions, compare the old and the new security descriptors (copy the SDDL values from event 4670):

$oldperm=ConvertFrom-SddlString "D:PAI(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;S-1-5-21-1774357850-3643260196-2143367957-1125)(A;OICI;0x1301bf;;;S-1-5-21-1774357850-3643260196-2143367957-1124)"
$newperm=ConvertFrom-SddlString "D:PARAI(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1301bf;;;S-1-5-21-1774357850-3643260196-2143367957-1124)(A;OICI;0x1200a9;;;S-1-5-21-1774357850-3643260196-2143367957-1125)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)"
Compare-Object -ReferenceObject $oldperm.DiscretionaryAcl -DifferenceObject $newperm.DiscretionaryAcl|FL

In this example, you can see that the new ACL grants read permissions to the Builtin\Users group.

powershell: compare new and old ACL, get the differences in permission

You can use the Get-WinEvent PowerShell cmdlet to search the Windows Event Log. For instance, you may use the following code to find events with Event ID 4670 and get OldSD and NewSD values from the script:

$event=Get-WinEvent -FilterHashtable @{logname='Security';id=4670} -MaxEvents 1
[xml]$xmlevent = $event.ToXml()
$eventobj = New-Object System.Management.Automation.PSObject
$eventobj | Add-Member Noteproperty -Name $xmlevent.Event.EventData.Data[1].name -Value $xmlevent.Event.EventData.Data[1].'#text'
$eventobj | Add-Member Noteproperty -Name $xmlevent.Event.EventData.Data[8].name -Value $xmlevent.Event.EventData.Data[8].'#text'
$eventobj | Add-Member Noteproperty -Name $xmlevent.Event.EventData.Data[9].name -Value $xmlevent.Event.EventData.Data[9].'#text'
$eventobj|format-list

Get a username who changed permission on folder

You can use the built-in icacls.exe tool or the Get-ACL PowerShell cmdlet to back up the current NTFS permissions of a directory.

If you need to understand which process and user are changing NTFS permissions on a folder, you can use the Process Monitor utility. (https://learn.microsoft.com/en-us/sysinternals/downloads/procmon). It allows you to locate the source of permission changes to file system objects in real time.

  1. Download and run procmon64.exe;
  2. Configure the filter: Filter-> Filter (CTRL+S)Path -> begin with -> Specify the folder path ->IncludeOperation -> is -> SetSecurityFile -> Include ; Monitor folder permission changes with proc monitor
  3. From now on, if someone changes NTFS permissions on any object in that folder, you will see a new event in the ProcMon window. Here, it shows the process (explorer.exe) and the name of the user who changed the permissions.

How to audit permission changes using Process Monitor?

0 comment
1
Facebook Twitter Google + Pinterest
Group PoliciesPowerShellWindows 10Windows Server 2019
previous post
Enable Single Sign-On (SSO) Authentication on RDS Windows Server
next post
Configuring Event Viewer Log Size on Windows

Related Reading

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

How to Delete Old User Profiles in Windows

March 15, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

Allow Non-admin Users RDP Access to Windows Server

March 16, 2024

How to Allow Non-Admin User to Start/Stop Service...

March 15, 2024

How to Disable NTLM Authentication in Windows Domain

March 16, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Encrypt Any Client-Server App Traffic on Windows with Stunnel

    June 12, 2025
  • Failed to Open the Group Policy Object on a Computer

    June 2, 2025
  • Remote Desktop Printing with RD Easy Print Redirection

    June 2, 2025
  • Disable the Lock Screen Widgets in Windows 11

    May 26, 2025
  • Configuring Windows Protected Print Mode (WPP)

    May 19, 2025
  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Updating List of Trusted Root Certificates in Windows
  • How to Delete Old User Profiles in Windows
  • Configure Google Chrome Settings with Group Policy
  • Fix: Remote Desktop Licensing Mode is not Configured
  • Allow Non-admin Users RDP Access to Windows Server
  • Configuring FSLogix Profile Containers on Windows Server RDS
  • How to Backup and Copy Local Group Policy Settings to Another Computer
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top