To audit file and folder access, object-level auditing must be enabled. This can be achieved in three ways:
- Using Windows shares
- Using PowerShell cmdlets
- Using Global Object Access Auditing
Using Global Object Access Auditing
- Log in to any computer that has the GPMC with Domain Admin credentials.
- Open the GPMC and, based on your setup, right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy or ADAuditPlusWSPolicy, and select Edit.
- In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Global Object Access Auditing > File system > Define this policy setting > Configure. For the Everyone group, add the following entries:
| |
Principal |
Type |
Access |
| File/folder changes |
Everyone |
Success, Failure |
- Create files / Write data
- Create folders / Append data
- Write attributes
- Write extended attributes
- Delete subfolders and files
- Delete
|
| Folder permission and owner changes |
Everyone |
Success, Failure |
- Take ownership
- Change permissions
|
