Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Group Policies / Configure File and Folder Access Auditing on Windows (GPO)

July 8, 2024

Configure File and Folder Access Auditing on Windows (GPO)

The file system audit policy in Windows allows to monitor all access events to specific files and folders on a disk. An administrator can enable the audit policy to identify file and folder creation, read, modification, and deletion events on the NTFS file system. File system auditing is most commonly used to control access and changes to shared network folders on Windows file servers that multiple users can access simultaneously.

Contents:
  • Enable File System Object Access Audit Policy on Windows
  • How to Apply an Audit Policy to a Folder or File in Windows
  • Viewing File System Access Events on Windows

Enable File System Object Access Audit Policy on Windows

File system object access auditing is not enabled by default in Windows. Access auditing can be enabled via Group Policy. To configure the audit policy on a standalone server, use the local Group Policy Editor console (gpedit.msc). If you need to enable the audit policy on multiple computers in an AD domain, use the domain GPO management console (gpmc.msc).

  1. Open the GPO editor and go to Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access
  2. Open the Audit File System and specify that only successful access to filesystem objects should be logged (Configure the following audit events -> Success) Enable 'Audit File System' policy on Windows
  3. Save the changes and update local Group Policy settings with the command: gpupdate /force

Or enable the local file system audit policy from the command prompt.

List available audit categories:

AuditPol.exe /list /subcategory:*

Enable auditing of successful file system object access events:

AuditPol.exe /set /subcategory:"File System" /success:enable

Check current audit settings:
AuditPol.exe /get /category:"Object Access"

AuditPol.exe - manage object audit policies from cmd

How to Apply an Audit Policy to a Folder or File in Windows

Even if a policy is enabled to audit access to files and folders, no actual events are sent to the Event Viewer. Audit settings for the files and folders to be monitored must be manually enabled and configured by the administrator.

For example, your task is to track read/change/create events for all files in C:\Docs folder.

  1. Open the folder properties and go to the Security -> Advanced -> Auditing tab configure auditing in folder properties
  2. Click Add and in the Principal field, select the users and/or groups whose object access events you want to monitor. Select Users to audit file access for all users or select Everyone if you want to include file access events by system process
  3. In Type, specify to track only successful access events (Success)
  4. Under Applies to, you can specify whether the auditing policy should be applied to the folder, files, or subfolders (default value is This folder, subfolders and files)
  5. In the Advanced Permissions list, select only the actions on files and folders that you want to send to the audit log. For example, to monitor only read and file modification events, select the options: List folder/read data, Create files / write data, Create folders / append data) Select the file system event you want to audit in the shared folder
    See an example of how to use Windows auditing policies to find the user who deleted a file from a shared folder.
  6. Save the audit settings.
When configuring file system access auditing policies, enable auditing only for the folders and files you need. The size of the Event Viewer log file increases significantly if you have access auditing enabled for a large number of items.

To enable auditing for a specific directory, PowerShell can be used:

$Path = "C:\Docs"
$AuditChangesRules = New-Object System.Security.AccessControl.FileSystemAuditRule('BUILTIN\Users', 'Delete,DeleteSubdirectoriesAndFiles', 'none', 'none', 'Success')
$Acl = Get-Acl -Path $Path
$Acl.AddAuditRule($AuditChangesRules)
Set-Acl -Path $Path -AclObject $Acl

List the folder audit settings:

(Get-Acl "C:\Docs\" -Audit).Audit

Configure folder audit settings from PowerShell

If you want to recursively scan all directories and find the subfolders for which file system auditing is enabled, use this script:

$folders=Get-ChildItem "c:\docs" -Recurse |Where-Object {$_.PSIsContainer}
foreach ($folder in $folders)
{
$auditacl=(Get-Acl $folder.FullName -Audit).audit
if ($auditacl -ne "") {write-host $folder.FullName}
}

Viewing File System Access Events on Windows

The audit policy will write a log to the Event Viewer if any actions are performed on files in the folder with auditing enabled. To view events:

  1. Open the Event Viewer snap-in (eventvwr.msc)
  2. Go to the Windows Logs -> Security section and filter the events by source:
    Microsoft Windows security auditing , Task Category: File System Filter object access audit logs in Event Viewer .
  3. Open any event found. For example, the event with EventID 4663 (“An attempt was made to access an object“) contains information about the user who interacted with the file: Account Name:
    File name: object_name:
    type of operation (write to file in this case): Accesses: WriteData (or AddFile) Detailed object access activity properties in the audit log

However, the Event Viewer console’s filtering and search capabilities are quite poor, and using it to search for all actions on a particular file is inconvenient.

It is better to use PowerShell to find and list all access events for a particular file system object. The following PowerShell script finds and lists all access events for a specified file in Event Viewer (the Get-WinEvent cmdlet is used to query the Event Viewer):

$fileName = "C:\\docs\\new_test_file.txt"
$results = Get-WinEvent -FilterHashtable @{logname='Security'; id=4663,4659} |`
Where-Object { $_.message -match $fileName -and $_.message -notmatch "Account Name:\s*machine$*"}`
foreach ($result in $results) {
    $Account = $result.properties[1].Value
    $objectName = $result.properties[6].Value
    $accessMask = $result.properties[8].Value
    if ( $accessMask -like "*00000000-*") { $accessMask=$result.properties[9].Value}  
    $accessMask2 = $result.properties[9].Value
        $fileOperation = ""
        switch -Wildcard ($accessMask) {
            "*%%1538*" { $fileOperation = "READ_CONTROL" }
            "*%%4416*" { $fileOperation = "ReadData (or ListDirectory)" }
            "*%%4417*" { $fileOperation = "WriteData (or AddFile)" }
            "*%%4418*" { $fileOperation = "AppendData (or AddSubdirectory or CreatePipeInstance)" }
            "*%%4419*" { $fileOperation = "ReadEA" }
            "*%%4420*" { $fileOperation = "WriteEA" }
            "*%%4423*" { $fileOperation = "ReadAttributes" }
            "*%%4424*" { $fileOperation = "WriteAttributes" }
            "*%%4426*" { $fileOperation = "Delete" }
            "*%%4428*" { $fileOperation = "ReadControl" }
            "*%%4429*" { $fileOperation = "WriteDAC" }
            "*%%4430*" { $fileOperation = "WriteOwner" }
            "*%%4432*" { $fileOperation = "Synchronize" }
            "*%%4433*" { $fileOperation = "AccessSystemSecurity" }
            "*%%4434*" { $fileOperation = "MaximumAllowed" }
            "*%%4436*" { $fileOperation = "GenericAll" }
            "*%%4437*" { $fileOperation = "GenericExecute" }
            "*%%4438*" { $fileOperation = "GenericWrite" }
            "*%%4439*" { $fileOperation = "GenericRead" }
            "*%%1537*" { $fileOperation = "DELETE" }
            default { $fileOperation = "Unknown" }
        }
        Write-Host   $result.Id  $result.TimeCreated  $Account $objectName $fileOperation  
} 
Write-Host $result.Id $result.TimeCreated $Account $objectName $fileOperation
}

Parsing auditing event using PowerShell

You can send the resulting list of access audit events to your log collector, database, text log file, or send an email notification using Send-MailMessage when a monitored file is accessed/modified.

0 comment
5
Facebook Twitter Google + Pinterest
Group PoliciesPowerShellWindows Server 2019
previous post
Install Any OS from ISO Image over Network with iVentoy
next post
Testing Internet Speed from Windows Command Prompt (PowerShell)

Related Reading

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Backup and Copy Local Group Policy...

March 17, 2024

How to Add or Remove Pinned Folders to...

August 11, 2024

Exclude a Specific User or Computer from Group...

March 16, 2025

Prevent Server Manager from Starting at Logon on...

April 11, 2024

Deploying Microsoft Office Language Packs

March 13, 2024

Unlocking Active Directory User Accounts

March 12, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Fix: Remote Desktop Licensing Mode is not Configured
  • How to Delete Old User Profiles in Windows
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Backup and Copy Local Group Policy Settings to Another Computer
  • How to Allow Non-Admin User to Start/Stop Service in Windows
  • How to Reset the Group Policy Settings on Windows
  • How to Disable NTLM Authentication in Windows Domain
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top