Windows File Server : How To Enable File Auditing
- Last updated: Oct 13, 2024
As a system administrator, you've probably already heard users complaining about mysteriously disappearing files.
In order to solve one of the most common computer mysteries, and incidentally, to find and pin down the culprit so that justice can be done, we need to activate file auditing on our file-sharing server.
Activating this audit will enable us to retrieve a wealth of information on any modifications or accesses that may be made to a given folder or file (read access, deletion, ACL modification and so on…)
Group Policy
To enable file auditing we need to create a new GPO.
Create GPO
- Open the Group Policy Manager:

- Create a GPO and link it to the OU where your file server is located:

- Give the GPO an explicit name:

Configure GPO
- Edit the newly created GPO:

- Go to Computer Configuration > Policies > Windows Settings > Security Settings > Audit Policy and edit Audit object access:

- Check Success and Failure then click OK:

- Now go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access and edit Audit File System:

- Check Success and Failure, then click on OK:

Windows File Server
We now need to connect to our Windows File Server to enable File Auditing on a folder.
Enable Auditing
Let's assume we want to enable auditing on the \\SRV-DATA\01-Admin
share.

- Do a right click on the folder and click Properties:

- Go to the Security tab and click Advanced:

- Go to the Auditing tab and click Add:

- Click on the Select a principal link:

- Add the Everyone object:

- Select All and This folder, subfolders and files, and click OK:
Note: to audit Authorization Policy Change, check Full control box

Check GPO is applied
- We can check that the group policiy is correctly applied using the
gpresult
command:
C:\> gpresult /r /z

Watch Logs
The audit result will be available in security log of the event log.
- Open the Event Viewer and go to Security:

- Here is an example with Read access to the «01-Admin» folder from the administrateur account:

- Example here with the file «New Text Document (3)» which has been Deleted by the e.cartman account:
