Configure object-level auditing - Manual configuration
Using Windows shares
Right-click on the share folder that you want to audit, select Properties, and then click on the Security tab → Select Advanced, and then click on the Auditing tab → For the Everyone group, add the following entries:
| Principal | Type | Access | Applies To | |
|---|---|---|---|---|
| File/folder changes | Everyone | Success, Failure |
| This Folder, sub folders, and files |
| Folder permission and owner changes | Everyone | Success, Failure |
| This Folder and sub folders |
| File read | Everyone | Success, Failure |
| Files only |
| Folder read failure | Everyone | Failure |
| This Folder and sub folders |
Using PowerShell cmdlets
Go to the <installation directory>\bin folder within the PowerShell command prompt → Type in ADAP-Set-SACL.ps1 → Follow the steps to apply object-level auditing to shares on the file server.
- Create a CSV file containing the Universal Naming Convention (UNC) path or local path and the type of auditing (file server auditing [FA] or file integrity monitoring [FIM]) of all the folders that you need to enable auditing for.
The CSV file should contain the list of folders in the following format: <folder>,<type>
Example:
\\SERVERNAME\folder,FA
C:\test folder,FA
E:\test folder,FIM
\\SERVERNAME\c$\folder,FIMOnce you have the CSV file that lists all the servers and the type of auditing required, go to the <Installation Directory>\bin folder within the PowerShell command prompt.
Type in:
.\ADAP-Set-SACL.ps1 -file '.\file name' -mode add (or) remove -recurse true (or) false -username DOMAIN_NAME\username
Where
| parameter | input variable | mandatory |
|---|---|---|
| -file | name of the CSV file containing the list of shared folders | yes |
| -mode | add - sets the object-level auditing settings (or) remove - removes the object-level auditing settings | yes |
| -recurse | true - Replace all sub-folder object-level auditing settings with inheritable auditing settings applied to the chosen folder. (or) false - Apply object-level auditing settings only to the chosen folder Note: By default, the -recurse parameter is set to false | no |
| -username | DOMAIN_NAME\username of the user with privilege over the file or folder to set the object-level auditing settings. (No cross-domain support) | no |
Note: When removing object-level auditing for a set of folders, the -type parameter is not mandatory.
For example:
- To set object-level auditing for the list of folders in the shared_folders_list.CSV file, use:
.\ADAP-Set-SACL.ps1 -file '.\shared_folders_list.CSV' -mode add - To replace all sub-folder object-level auditing settings with inheritable auditing settings applied to the shared_folders_list.CSV file, use:
.\ADAP-Set-SACL.ps1 -file '.\shared_folders_list.CSV' -mode add -recurse true - To remove object-level auditing for the list of folders in the shared_folders_list.CSV file, use:
.\ADAP-Set-SACL.ps1 -file '.\shared_folders_list.CSV' -mode remove
