How to enable File and Folder Access Auditing on Windows

Server 2008 and 2008r2

Windows Server 2008 and 2008 R2 have been one of the most widely deployed servers in the
project setups where they are used for supporting collaborative work environments. However,
because of the very nature of these kinds of setup where multiple resources have access to the
same objects, assigning responsibility for user actions become utmost important.

This can be ensured by auditing all User actions related to file and folder access. In this guide, we
are going to see how we can enable auditing on Windows Server 2008 and 2008R2.

On Windows Server 2008 and 2008 R2, auditing file and folder accesses consists of two parts:

1. Enabling File and Folder auditing which can be done in two ways:
a. Through Group Policy (for Domains, Sites and Organizational Units)
b. Local Security policy (for single Servers)
2. Performing audit settings for File and Folders to be audited i.e. specifying Files/Folders
and which all Users’ actions are to be audited.

Here, we will see how to enable auditing for object access on a MS Windows Server 2008 DC and
a client of the domain through GPO. To enable auditing, follow these steps:

a) Open Group Policy Management Console.

b) Go to the concerned domain and expand the node against it.
c) Go to the Group Policy Objects and right-click on it.
d) Select New from the popup menu.
e) In the New GPO dialog box, enter the name of the new GPO and click ‘Ok’.
f) Right-click on the newly created GPO and select ‘Edit’ from the popup menu.
g) The Group Policy Management Editor window opens up.
h) Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings ->
Local Policies -> Audit Policies.
i) In the right-pane, the list of all policies is displayed.
i. Audit Account Logon Events
ii. Audit Account Management
iii. Audit Directory Service Access
iv. Audit Logon Events
v. Audit Object Access
vi. Audit Policy Change
vii. Audit Privilege Use
viii. Audit Process Tracking
ix. Audit system Events
j) Go to the policy for which you want to define settings. If you define settings for all
Lepide Software policies, a lot of logs will be generated.
k) Double-click on the policy for which you want to define the settings.
l) In the Properties dialog box that opens up, select Success/Failure or both.
B 57, Sector 57
Noida, U.P. m) Click on ‘Ok’ to close the window.
India n) Next, you need to apply this policy on the DC. Go to RUN command and type:
201301 gpupdate/force/boot/logoff and click ‘Ok’.
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
o) Gpupdate command prompt opens up and a message is displayed: “Updating Policy …”
www.lepide.com
 After the policy has been applied, the next thing is to select Files and Folders and which Users’
actions are to be audited.

To select specific Folder and define Users, follow these steps:

Go to Windows Explorer
Right-click on it and select Properties.
In the Properties dialog box, select the Security tab and click on ‘Advanced’.
In the Advanced Security Settings dialog box, select the Auditing tab.
Click on the ‘Add…’ button.
In the Select User or Group dialog, enter names of Users whose accesses are to be
audited.
Select ‘Everyone’ to audit access attempts by all Users. Click on ‘OK’.
Auditing Entry for Accounts dialog box opens up.
Select the type of accesses to be audited. Successful access/Failed access or both can
be selected.
Click ‘Ok’ and ‘Apply’ to save the settings.

From this point onwards, all the access attempts to this particular folder by all Users would be
recorded on the DC. To view these event logs use Windows event viewer. Aside from this, you
can also use LepideAuditor for File Server for complete change auditing and reporting of File
Server environment with features like centralized and customizable auditing and real-time alert
generation.

Lepide Software

B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com