We help IT Professionals succeed at work.

Logging file events in windows

Medium Priority
334 Views
Last Modified: 2013-12-04
Hi I have a windows 2003 file server and I need to log when users move / delete / create files. General files like word and excel files not specifically system files.

Thanks in advance
Comment
Watch Question

You'll need to enable auditing of object access on the folders you're concerned about.  You can't specify audting by file type, so you'll have to decide which folders you want to audit.  To do so you'll need to:

I.  Enable auditing on the specific folder(s)
 1) In Explorer.exe browse to the file or folder you want to audit
 2) Click the 'Security' menu
 3) Click the 'Advanced' button
 4) Select the 'Auditing' tab and click the 'Add' button
 5) Add the 'Everyone' group and click 'OK'
 6) The resulting "Auditing Entry for " dialog box appears
 7) In the "Apply onto" drop menu, select "This folder, subfolders and files"
 8) Choose the actions you want to audit for...
  For example, if attributes are being changed or files are being deleted
  Place check marks under the following:
  'Write Attributes' Successful
  'Write Extended Attributes' Successful
  'Delete Subfolders and Files' Successful
  'Delete' Successful
  'Change Permissions' Successful
 9) Click OK
 10) Clear the checkbox on "Allow inheritable auditing entries from parent to propagate to this object"
 11) Click OK then OK again to exit

II.  Enable audit policy (either locally or via Group Policy Object)
 To set up the local policy to Audit Object access:
 1) Click Start then Run then type
  "gpedit.msc" (without the quotes)
 2) This will execute the Group Policy Object
 3) Expand the following:
  +Computer Configuration
  +Windows Settings
  +Security Settings
  +Local Policies
  +Audit Policy
 4) Under 'Audit Policy' doubleclick 'Audit Object Access'
 5) Under 'Audit these attempts" place a check on
  - Success

Reference:  http://msexchangetips.blogspot.com/2006/08/windows-audit-changes-made-to-file.html

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Ned RamsayNetwork Operations Manager

Commented:
You have to create a policy on the server. See http://technet.microsoft.com/en-us/library/cc787413.aspx
Be warned that in folders with high read/writes you will start to notice a slow down on your system. Also it writes it into the event viewer so can be a pain to find the correct entries.
Hope this helps.

Author

Commented:
Fantastic, thanks
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.