File/Folder audit
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.security (More info?)
Hello,
How to find which user updated/created any file(s)/folder(s) under Windows
2000 server?
Are there any tools/utilities.
Thanks.
Hello,
How to find which user updated/created any file(s)/folder(s) under Windows
2000 server?
Are there any tools/utilities.
Thanks.
More about : file folder audit
Archived from groups: microsoft.public.win2000.security (More info?)
You would first have to enable auditing of object access in the Local
Security Policy [or other appropriate security policy] and then set auditing
on the folder. Try not to audit all permissions - just the ones you want to
track which sounds like write data, both deletes, and maybe append data.
Updated files often delete the original version of the file. Make sure that
you increase the size security log a lot to at least 15MB. You will see a
LOT of object access events in the security log and then information will be
there though can take a while to track down. What can help is if you use the
free Event Comb from Microsoft on the server and use it to search for
specific event ID's and text screens such as the name of the file or the
permission such as write or delete. This will help quite a bit in sorting
through all the object access events. Also test this out first so you can
see can see what happens in the security log and what events to look
or. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --- Event
Comb
"ram4tech" <ram4tech@discussions.microsoft.com> wrote in message
news:8802C844-4920-4674-B610-A30B1CD74A9D@microsoft.com...
> Hello,
>
> How to find which user updated/created any file(s)/folder(s) under Windows
> 2000 server?
>
> Are there any tools/utilities.
>
> Thanks.
You would first have to enable auditing of object access in the Local
Security Policy [or other appropriate security policy] and then set auditing
on the folder. Try not to audit all permissions - just the ones you want to
track which sounds like write data, both deletes, and maybe append data.
Updated files often delete the original version of the file. Make sure that
you increase the size security log a lot to at least 15MB. You will see a
LOT of object access events in the security log and then information will be
there though can take a while to track down. What can help is if you use the
free Event Comb from Microsoft on the server and use it to search for
specific event ID's and text screens such as the name of the file or the
permission such as write or delete. This will help quite a bit in sorting
through all the object access events. Also test this out first so you can
see can see what happens in the security log and what events to look
or. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --- Event
Comb
"ram4tech" <ram4tech@discussions.microsoft.com> wrote in message
news:8802C844-4920-4674-B610-A30B1CD74A9D@microsoft.com...
> Hello,
>
> How to find which user updated/created any file(s)/folder(s) under Windows
> 2000 server?
>
> Are there any tools/utilities.
>
> Thanks.
Related ressources:
- ForumAuditing object access
- ForumFile server Auditing tool
- ForumLogging
- ForumNTFS and Shared Permissions
- ForumIs there a way to report what files have been changed in a..
- Forummonitor folder activity
- ForumMove shares from 2000 server to server 2003 while retainin..
- ForumUser Problems
- ForumParallel and com ports not appearing in device manager
- ForumStrange file in my root folder
- ForumDeny _WRITE_ access to a file
- ForumDisable file types running - win2000
- ForumFile Recovery software
- ForumFile permissons
- ForumWindows cannot access the file MsAuditE.dll
- ForumQuestion about file permissions..
- ForumRecovering Encrypted File on WIndows XP workstation
- ForumAudit Object Access Problem
- More resources
!
