Log file access

BryanM67

I was wondering..is there a way to log all access to a folder or file? I know how to set NTFS permissions but a RL situation has come up at the office where we need to be able to prove when a certain person has accessed a file. Thanks for any info on this.

royal

In short, go into group policy, enable success/failure for Audit Object Access. Now go onto the file server/workstation that has the files, run gpupdate /forrce, then go into security permissions > click advanced, enable auditing for the file(s)/folder(s) you want to audit, and choose full control for the user(s)/group(s) you want to audit. This will now log attempts to the event viewer.


Here's a doc that explains the process. You could do this via AD Group Policy, or the local policy on the file server.

http://www.gregthatcher.com/Papers/IT/audit.aspx

For the last picture, I would enable the Everyone Group Full Control for all Successful and Failure attempts on the files and folders. This should not be enabled indefinitely as it takes a toll on performance.

sprkymrk

icroyal wrote:

For the last picture, I would enable the Everyone Group Full Control for all Successful and Failure attempts on the files and folders. This should not be enabled indefinitely as it takes a toll on performance.

Have you ever seen this done in real life on a production server? I have and it ain't pretty. Specify who you want to audit, or limit the auditing to a single share with limited access only.

I actually saw a newly minted MCSE do this to "protect" his server. The server choked, siezed, puked, and after it completely locked up he had to do a hard shutdown. The power up process took over 45 minutes while "system" (a member of the everyone group) accessed startup files. At some point I had mercy on him and connected to group policy remotely on the computer (while he was wringing his hands trying not to look too stupid) and turned off his auditing so he could finally log in to the console.

sprkymrk

Oh, and if you enable this kind of auditing, make sure you set your event logs maximum size to handle the events without overwriting or shutting down the system when they are full.

royal

No, I haven't seen it done. I also agree with you that it should be limited to a user or small group of users. In my first paragraph, I stated to add user(s)/group(s) to it instead of Everyone Group. I made a mistake in saying to add the Everyone group since he wanted to audit a specific user.

sprkymrk

icroyal wrote:

No, I haven't seen it done. I also agree with you that it should be limited to a user or small group of users. In my first paragraph, I stated to add user(s)/group(s) to it instead of Everyone Group. I made a mistake in saying to add the Everyone group since he wanted to audit a specific user.

I just had to pick on you at least once, since in your more than 500 other posts I haven't found anything else to pick on.

royal

sprkymrk wrote:

icroyal wrote:

No, I haven't seen it done. I also agree with you that it should be limited to a user or small group of users. In my first paragraph, I stated to add user(s)/group(s) to it instead of Everyone Group. I made a mistake in saying to add the Everyone group since he wanted to audit a specific user.

I just had to pick on you at least once, since in your more than 500 other posts I haven't found anything else to pick on.

You bully!