You are on page 1of 2

Native Auditing

1.
Navigate to the file share, right-click it and select "Properties" "Security" tab "Advanced"
button "Auditing" tab Click "Add" button Select Principal: "Everyone"; Select Type: "All";
Select Applies to: "This folder, subfolders and files"; Select the following "Advanced
Permissions": create files/write data, create folders/append data, write attributes, write extended
attributes.

2.
Run gpedit.msc, configure Default Domain Policy Computer Configuration Policies
Windows Settings Security Settings Local Policies Audit Policy Audit object access
Define "Success and Failures". In the "Advanced Audit Policy Configuration" adjust Audit File
System Define "Success and Failures" and Audit Handle Manipulation Define "Success
and Failures".

3.
Go to Event Log and set "Maximum security log size" to 1gb, "Retention method for Security log"
to "Overwrite events as needed".

4.
Open "Event viewer" and search Security log for event id 4656 with "File System" or "Removable
Storage" task category and with "Accesses: WriteData" string. "Subject Security ID" will show
you who changed the file.

Netwrix Auditor for File Servers

1.
Run Netwrix Auditor Managed Objects File Server and then click "Run" to gather logs (log
gathering is performed automatically on specified schedule; here you may need to click "Run"
button manually in order to avoid waiting the next scheduled data collection). Check e-mail
received.

2.
You can also view the File changes by navigating to Netwrix Auditor Reports File Servers
File Servers Activity "File Server Changes" report View.