Configure File System Object Auditing

This section provides step-by-step procedure for enabling auditing to track changes to File System objects. This process consists of two primary steps:


  • Enable audit policy using Group Policy Management console in domain.

  • (OR)

    Enable audit policy using Local Group Policy Object Editor console in local computer.

  • Set up auditing for File or Folder in a computer.

Enable audit policy using Group Policy Management console in domain.

  1. Click Start, Point to Administrative Tools, and then Group Policy Management.

  2. In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, right-click Default Domain Policy, and then click Edit.

  3. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.

  4. In the details pane, right-click Audit object access, and then click Properties.

  5. Select the Define these policy settings check box.

  6. Under Audit these attempts, select the Success, check box, and then click OK.

Note: Audit policy settings configured in the Default Domain Policy will be applied to all the workstation(s) and server(s) in the domain.


Enable audit policy using Local Group Policy Object Editor console in local computer.

  1. To open the Local Group Policy object Editor console, click Start, click Run, type gpedit.msc, and then click OK.

  2. In the console tree, double-click Local Computer Policy to expand it.

  3. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.

  4. In the details pane, right-click Audit object access, and then click Properties.

  5. Select the Define these policy settings check box.

  6. Under Audit these attempts, select the Success, check box, and then click OK.


Set up auditing for File or Folder in a Computer


To setup SACL auditing for a folder or file, perform the following steps:

  1. Open Windows Explorer.

  2. Right-click the file or folder that you want to audit, click Properties.

  3. Click the Security tab, click Advanced, and then click the Auditing tab.

  4. Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal), and then click OK.

  5. In Apply onto, click This folder, subfolders and files.

  6. Under Access, select the Successful check box for Write attributes and Write extended attributes. If you want to audit creation and deletion of objects, select the Successful check box for Delete, Delete subfolders and files, Create files / write data and Create folders / append data. If you want to audit permissions changes in objects, select the Successful check box for Change Permissions too.

  7.  If you want to audit ownership changes in objects, select the Successful check box for Take ownership.

  8. If you want to audit who have accessed the folders and files, select the Successful checkbox for List folder / read data, Read attributes and Read extended attibutes.

    Warning: Enable SACL Auditing for List folder / read data, Read attributes and Read extended attributes for your critical folders and files only. Otherwise auditing this event on a large number of folders, say, on your root folder or other unwanted folders, may cause event flooding.