Auditing Folder Ownership Changes on Windows Server 2008

Posted on 2012-08-20
Last Modified: 2012-08-21
How can I find the cause of a folder's Ownership changing from a particular user, say "Joe", to the Administrators Group. The folder, called Test, is on a Windows Server 2008 r2 server and the path looks like the following:


Note: Inheritable permissions is unchecked on Test, so only explicit permissions apply on this folder.

When auditing, will default logging be able to find the cause or do I have to turn on special logging to enable this kind of auditing?
Question by:Created
    LVL 28

    Accepted Solution

    Turn on auditing

    Select the Administrator group and audit "Take ownership" "Success"

    LVL 52

    Expert Comment

    by:Manpreet SIngh Khatra
    What's New in Windows Security Auditing

    There are a number of auditing enhancements in Windows Server® 2008 R2 and Windows® 7 that increase the level of detail in security auditing logs and simplify the deployment and management of auditing policies. These enhancements include:
    Global Object Access Auditing
    "Reason for access" reporting
    Advanced audit policy settings

    In order to track file and folder access on Windows Server 2008 R2

    - Rancy
    LVL 60

    Expert Comment

    To audit files and directories on a particular server, the File and Object Access audit event option must be enabled in the Audit Policy for that server. I believe the event that you should be looking for are below. It should be configured in Global Object Access Auditing Group Policy setting. Pls see this  @


    >>  EventID 4670 - Permissions on an object were changed.
    - Logged when anyone changes the DACL (Discretionary Access Control List) on a file, folder, or securable object.
    >>  EventID 4907 - Auditing settings on object were changed.
    -  Logged every time an administrator or program changes the SACL (System Access Control List) on an object, typically a file or folder.

    For info, every securable object (e.g. file, folder, registry key, etc) in Windows has a Security Descriptor assigned to it. The security descriptor, among other things, specifies:

    1.) the user owner of the object
    2.) the group of the object (used by Unix apps that run under POSIX)
    3.) the DACL (Discretionary Access Control List), and
    4.) the SACL (System Access Control List)

    Author Comment

    Sorry, I messed up and didn't distribute the points. I wanted to give points to assisted solutions even though the right person was the accepted solution. Will have to be a little more aware next time.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
    Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now