Logging file events in windows

Posted on 2009-02-17
Last Modified: 2013-12-04
Hi I have a windows 2003 file server and I need to log when users move / delete / create files. General files like word and excel files not specifically system files.

Thanks in advance
Question by:mathew1010
    LVL 11

    Accepted Solution

    You'll need to enable auditing of object access on the folders you're concerned about.  You can't specify audting by file type, so you'll have to decide which folders you want to audit.  To do so you'll need to:

    I.  Enable auditing on the specific folder(s)
     1) In Explorer.exe browse to the file or folder you want to audit
     2) Click the 'Security' menu
     3) Click the 'Advanced' button
     4) Select the 'Auditing' tab and click the 'Add' button
     5) Add the 'Everyone' group and click 'OK'
     6) The resulting "Auditing Entry for " dialog box appears
     7) In the "Apply onto" drop menu, select "This folder, subfolders and files"
     8) Choose the actions you want to audit for...
      For example, if attributes are being changed or files are being deleted
      Place check marks under the following:
      'Write Attributes' Successful
      'Write Extended Attributes' Successful
      'Delete Subfolders and Files' Successful
      'Delete' Successful
      'Change Permissions' Successful
     9) Click OK
     10) Clear the checkbox on "Allow inheritable auditing entries from parent to propagate to this object"
     11) Click OK then OK again to exit

    II.  Enable audit policy (either locally or via Group Policy Object)
     To set up the local policy to Audit Object access:
     1) Click Start then Run then type
      "gpedit.msc" (without the quotes)
     2) This will execute the Group Policy Object
     3) Expand the following:
      +Computer Configuration
      +Windows Settings
      +Security Settings
      +Local Policies
      +Audit Policy
     4) Under 'Audit Policy' doubleclick 'Audit Object Access'
     5) Under 'Audit these attempts" place a check on
      - Success

    LVL 7

    Expert Comment

    by:Ned Ramsay
    You have to create a policy on the server. See
    Be warned that in folders with high read/writes you will start to notice a slow down on your system. Also it writes it into the event viewer so can be a pain to find the correct entries.
    Hope this helps.

    Author Closing Comment

    Fantastic, thanks

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now