How can I tell who has changed a File in Win2000

Posted on 2003-02-24
Medium Priority
Last Modified: 2013-12-04
Is there some way to tell who has changed a file on Windows 2000 Server. The event viewer doesn't show if a file or folder has been deleted, moved, or modified. Unless I'm missing something, I would think that would be a must for adequit security? It should be in the system log. Is there any way to enable that?
Question by:astrazx
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

aprilmj earned 400 total points
ID: 8012835
Under administrative tools
-local security settings
   -audit policy
      -audit object access

Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.

Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.

Expert Comment

ID: 8012844
will give you a pretty reasonable step-by-step guide  :)

Expert Comment

ID: 8012903
> ? It should be in the system log. Is there any way to enable that?

No. You want what THEY won't give

> I would think that would be a must for adequit security?

logs take up space, require backups. remember that disk drives were not always that large. log files more robust usually use tape drives. did you get one of those?

> How can I tell who has changed a File in Win2000

Well, there is the Owner. To skip all records of changes and just look for last ones involved, goto Explorer, left click on title bar, (upper right) such as on Name. You get pop-up now listing more fields like this than you'd ever care to see, and less than what you desire.  Enable a few of them to notice how well, or not, that they are used.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 11

Expert Comment

ID: 8014392
Follow the comment postet by aprilmj and you should get what you want. If you only want to know who has changed some files then you don't have to audit failure events but only successful events.

Expert Comment

ID: 8020358
I agree with Audit file object access but be careful! Choose only the files that are critical to watch and not your whole C:/ Drive for instance! The overhead associated with auditing is high and the more files you choose to monitor = a reduction in system response time. The log files can grow quite large as well. Unfortunately, most people want to audit files after an incident already occured. File Auditing is not turned on by default.


Expert Comment

ID: 8025299
It's a two step process:

A primary Setting on the Server
The Other on the resource
and you're looking at Object Access

Change of a file is >> Successful Audit

As a complimentary Link to the above
Take a look at


Pretty Decent read..



Expert Comment

ID: 9070853
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month11 days, 2 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question