How to Track Changes in Shared Folder on File Server

With Native AD Auditing
With ADAudit Plus

Complete change monitoring on files/folders with ADAudit Plus:

ADAudit Plus offers reports that pull up changes made to your files/folders with complete details in a single click. These reports can be exported in any format such as CSV, PDF, XML etc. Real-time alerts can be sent to your e-mail or phone so that you can be notified when changes are made to a critical file or folder. Here is how you can access these reports:

Login to ADAudit Plus → Go to File Audit tab → Under File Audit Reports → navigate to All File/Folder Changes report. Select the time period for which you want to track the changes made and the domain that the file server belongs to.

- The details you will find in this report are:
  1. Name of the file/folder changed
  2. Who made the changes
  3. When the change was made
  4. Location of the file/folder
You can filter the graph based on the change type. For example, if you want to see the files that were deleted, simply pick them out from the graph, and all logs corresponding to file deletion will be displayed. To categorize changes based on shares, go to the Share Based Reports tab, and select 'All file/folder changes by share'. Select the share for which you wish to track the changes. The details of all changes made on this share is shown, similar to the above report.

Native method

Step 1: Enable 'Audit object access' policy
Launch the Group Policy Management console (Run --> gpedit.msc)
Create a new GPO and link it to the domain containing the file server or edit the existing GPO that is linked to the relevant domain.
Navigate to Computer Configuration -> Windows Settings -> Security Settings ->Local Policies -> Audit Policy.
Under Audit Policy, select 'Audit object access' and turn auditing on for both success and failure.
Navigate to Advanced Audit Policy Configurationb -> Audit Policies -> Object access. Turn on auditing for Audit file system and Audit handle manipulation.
Step 2: Edit auditing entry in the respective file/folder

Locate the file or folder for which you wish to track all the accesses. Right click on it and go to Properties. Under the Security tab click Advanced.
In Advanced Security Settings, go to the Auditing tab and click Add to add a new auditing entry.
In the Auditing Entry for Active Directory dialog box, enter the following details:
1. Principal: Enter the names of the users whose changes you wish to audit.
2. Type: Select the type of changes you want to audit. It is preferable to audit "All" changes.
3. Applies to: Select here whether you want to audit access only on this file, or on all sub folders and files.
4. Basic permissions: Choose the types of permissions you want to audit. Click 'Advanced permissions' and choose to audit 'Traverse folder / execute file', 'List folder / read data', 'Create files /write data', 'Create folders / append data', 'Write attribute'.
Step 3: View audit logs in Event Viewer

Every time a user accesses the selected file/folder, and makes changes on it, an event log will be recorded in the Event Viewer. To view this audit log, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below.
Search the Security Windows Logs for the event ID 4656 with the "Audit Failed" keyword to find out who tried changing a file or folder.