Configure Windows Auditing

You are here:
< Back

Detect object access on file servers

This section explain how to configure windows auditing in order to detect the access to a specific file.

Navigate to the required file share > Right-click it and select Properties.

Switch to the Security tab and click the Advanced button. Than Go to the Auditing tab and click the Add button.

Configure the following settings:

  • Principal: “Everyone”.
  • Type: “All”.
  • Applies to: “This folder subfolders and files”.
  • Advanced Permissions: “List folder / read data”.

Click OK to apply settings.

Log on to your domain controller (DC) and run gpmc.msc
Edit or create a new GPO than click on Edit

From Advanced Audit Policy Configuration > Audit Policies > Object Access
Select Success and Failures from Audit Handle Manipulation and Audit File System

If it is a new policy, link the new GPO to an OU with file servers: Go to Group Policy Management right-click the OU > click Link an Existing GPO and select the GPO that you created.

Force a Group Policy update on the selected OU: Go to Group Policy Management right-click the OU and click Group Policy Update.
Alternatively you can force the update on the target server using the command:

gpudate /force

To confirm that everything
Open Event Viewer and search the Security Windows Logs for event ID 4663.