How to Monitor Changes to Files and Folder Permissions

With Native AD Auditing
With ADAudit Plus

Simplified permission change monitoring with ADAudit Plus

With ADAudit Plus' simple, easy to read reports, a single click is all it takes to pull up complete details of who changed the file/folder permissions, when and from which machine. The exact value of the permission changed is also listed. These reports can be exported and also scheduled to be automatically generated, at the specified times, and delivered to your inbox. You can also configure alerts to notify you when permissions of critical files/folders are changed. This way you can take action immediately.

The details you can find in this report include:
1. File/Folder name and its location in the server.
2. Name of the user who modified the permission
3. Values of new and old ACL
4. Permissions modified
5. Server in which the file/folder is located
6. Time at which the permission was changed
To understand what exactly was changed in the file/folder's ACL, click the More link in the Permission Modified field. The new and old values of your ACL are also provided in detail.
Old ACL:

New ACL:
Note that in this example, Mark Lloyd has been given full control during this permission change. With these details you can investigate further if you think the permission change seems malicious. In case you want to filter the permissions changed based on the server in which the files/folders reside, simply switch to Server Based Reports and navigate to Folder Permissions Changed report. A similar report is displayed, filtered based on the server you choose. To view the permission changes made by a specific user, go to the User Based Reports and select the Folder Permissions Changed report.

Native auditing

With native auditing, here is how you can monitor changes to files and folder permissions:

Step 1: Enable Audit Object Access policy:

Open Local Security Policy. Go to Security Settings and select Local Policies.
Under Audit Policy, select 'Audit object access' and turn auditing on for both success and failure.
Step 2: Edit auditing entry in the respective file/folder

Locate the file or folder whose permission changes you wish to track. Right click on it and go to Properties. In the Security tab, click the Advanced button.
In Advanced Security Settings for Active Directory window, go to Auditing tab, and click the Add button to add a new auditing entry.
In the Auditing Entry for Active Directory dialog box, enter the following details:
1. Principal: Enter the names of the users whose access you wish to audit.
2. Type: Select the type of access you want to audit. It is preferable to audit "All" changes.
3. Applies to: Select whether you want to audit permission changes only on this file, or on all sub folders and files.
4. Basic permissions: Choose the types of permissions you want to audit. For your specific need, click 'Advanced permissions', and select 'Change permissions'.
Step 3: View audit logs in Event Viewer

Every time a user accesses the selected file/folder, and changes the permission on it, an event log will be recorded in the Event Viewer. To view this audit log, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below.
To filter the event logs to view just the logs about the file/folder permission changes, select Filter Current Log from the right pane. Simply search for the event ID 4670 which indicates file/folder permission changes.
The middle pane now shows all the permission changes made to files/folders. Click on any one of them and view its properties.
For more information on the exact permission that was changed, you can examine the old and new security descriptor.