• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 175
  • Last Modified:

How can I tell who has changed a File in Win2000

Is there some way to tell who has changed a file on Windows 2000 Server. The event viewer doesn't show if a file or folder has been deleted, moved, or modified. Unless I'm missing something, I would think that would be a must for adequit security? It should be in the system log. Is there any way to enable that?
1 Solution
Under administrative tools
-local security settings
   -audit policy
      -audit object access

Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.

Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.
will give you a pretty reasonable step-by-step guide  :)
> ? It should be in the system log. Is there any way to enable that?

No. You want what THEY won't give

> I would think that would be a must for adequit security?

logs take up space, require backups. remember that disk drives were not always that large. log files more robust usually use tape drives. did you get one of those?

> How can I tell who has changed a File in Win2000

Well, there is the Owner. To skip all records of changes and just look for last ones involved, goto Explorer, left click on title bar, (upper right) such as on Name. You get pop-up now listing more fields like this than you'd ever care to see, and less than what you desire.  Enable a few of them to notice how well, or not, that they are used.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Follow the comment postet by aprilmj and you should get what you want. If you only want to know who has changed some files then you don't have to audit failure events but only successful events.
I agree with Audit file object access but be careful! Choose only the files that are critical to watch and not your whole C:/ Drive for instance! The overhead associated with auditing is high and the more files you choose to monitor = a reduction in system response time. The log files can grow quite large as well. Unfortunately, most people want to audit files after an incident already occured. File Auditing is not turned on by default.

It's a two step process:

A primary Setting on the Server
The Other on the resource
and you're looking at Object Access

Change of a file is >> Successful Audit

As a complimentary Link to the above
Take a look at


Pretty Decent read..


This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now