rss logo

Windows File Server : How To Enable File Auditing

Windows Server logo

As a system administrator, you've probably already heard users complaining about mysteriously disappearing files.

In order to solve one of the most common computer mysteries, and incidentally, to find and pin down the culprit so that justice can be done, we need to activate file auditing on our file-sharing server.

Activating this audit will enable us to retrieve a wealth of information on any modifications or accesses that may be made to a given folder or file (read access, deletion, ACL modification and so on…)

Group Policy

To enable file auditing we need to create a new GPO.

Create GPO

  • Open the Group Policy Manager:
Open Group Policy Management Console from Run window
  • Create a GPO and link it to the OU where your file server is located:
Create a GPO from the Group Policy Management console
  • Give the GPO an explicit name:
Give a name to a new GPO

Configure GPO

  • Edit the newly created GPO:
Edit a GPO from the Group Policy Management console
  • Go to Computer Configuration > Policies > Windows Settings > Security Settings > Audit Policy and edit Audit object access:
Configure the Audit policy GPO
  • Check Success and Failure then click OK:
Audit object access properties window
  • Now go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access and edit Audit File System:
Edit Audit File System properties from the Group Policy Management console
  • Check Success and Failure, then click on OK:
Audit File System Properties window

Windows File Server

We now need to connect to our Windows File Server to enable File Auditing on a folder.

Enable Auditing

Let's assume we want to enable auditing on the \\SRV-DATA\01-Admin share.

Accessing file share from windows file explorer
  • Do a right click on the folder and click Properties:
windows explorer, right click on a folder menu
  • Go to the Security tab and click Advanced:
security tab of a folder properties
  • Go to the Auditing tab and click Add:
Advanced security settings window
  • Click on the Select a principal link:
Auditing entry window with the select a principal link
  • Add the Everyone object:
Select User, Computer, Service Account or Group window
  • Select All and This folder, subfolders and files, and click OK:

Note: to audit Authorization Policy Change, check Full control box

Auditing entry window

Check GPO is applied

  • We can check that the group policiy is correctly applied using the gpresult command:
C:\> gpresult /r /z
a windows console with the result of a gpresult command

Watch Logs

The audit result will be available in security log of the event log.

  • Open the Event Viewer and go to Security:
open event viewer from run window
  • Here is an example with Read access to the «01-Admin» folder from the administrateur account:
windows event viewer
  • Example here with the file «New Text Document (3)» which has been Deleted by the e.cartman account:
windows event viewer