How to find out who changed the Folder permissions
Get it Done with ADAudit PlusNative auditing
1. Setting up the file's audit system access control list (SACL):
- Select the file you want to audit and go to Properties. Select the Security tab → Advanced → Auditing → Add.
- Select Principal: Everyone; Type: All; Applies to: This folder, sub-folders, and files.
- Click Show Advanced Permissions, select Change permissions and Take ownership.
2. Setting up your domain's audit policy
- Go to your Group Policy management console, and edit the Default Domain Policy.
- Go to Computer Configuration → Policies → Windows Settings → Security Settings.
- Go to Local Policies → Audit Policy: Audit object access. Select both Success and Failures.
- Go to Advanced Audit Policy Configuration → Audit Policies → Object Access:
- Audit File System: Select both Success and Failures.
- Audit Handle Manipulation: Select both Success and Failures.
- Go to Event Log and define the:
- Maximum security log size to 1GB.
- Retention method for security log to Overwrite events as needed.
3. Checking for the event on your Event Viewer
Go to the Windows Security logs, and search for:
- Event ID 4663
- Task Category: File System or Removable Storage
The Account Name and Security ID will show you who changed the file’s/folder's owner or permissions.
Simplified folder permission change monitoring with ADAudit Plus
With ADAudit Plus' simple, easy-to-read reports, a single click is all it takes to pull up complete details of who changed the file/folder permissions, when, and from which machine. The exact value of the permission changed is also listed. These reports can be exported and scheduled to be automatically generated at the specified times and delivered to your inbox. You can also configure alerts to notify you when permissions of critical files/folders are changed. This way you can take action immediately.
Log in to ADAudit Plus. Go to the File Audit tab, and under File Audit Reports, navigate to the Folder Permission Changes report.
The details you can find in this report include the:
- File/folder name and its location in the server
- Name of the user who modified the permission
- Values of new and old access control list (ACL)
- Permissions modified
- Server in which the file/folder is located
- Time at which the permission was changed
To understand what exactly was changed in the file/folder's ACL, click the More link in the Permission Modified field.
The new and old values of your ACL are also provided in detail.
Old ACL:
New ACL:
Note that in this example, Mark Lloyd has been given full control during this permission change. With these details, you can investigate further if you think the permission change seems malicious. If you want to filter the permissions changed based on the server in which the files/folders reside, simply switch to Server Based Reports and navigate to the Folder Permissions Changed report. A similar report filtered based on the server you choose is displayed. To view the permission changes made by a specific user, go to the User Based Reports, and select the Folder Permissions Changed report.
Keeping track of your files' and folders' permission changes is critical in maintaining file integrity and preventing unauthorized access.
The steps above answer the following file/folder permission monitoring questions:
- Find out who changed permissions on a folder in Windows
- How to check who changed folder permissions
- How to see who changed folder permissions
- How to tell who changed folder permissions
- Who changed file permission Windows
- Check who changed file permissions
- How to audit file permission changes
- How to find out who changed folder permissions
- Software: how to find out who changed folder permissions
- How to find out who changed the folder permissions in Windows 2003
- How to find out who changed folder permissions Windows 2008 R2
- How find out who changed folder permissions in Windows 2008
- How to find the folder-level permission changes in Windows Server 2003
- How to track the folder permission changes in Windows file server
- How to track if file and folder permissions changed on a server
- How to audit folder permission changes
- How to find out who changed permissions of a folder on a server
- How to find who changed shared folder permissions
- How to monitor changes to files and folder permissions
- How to check folder permissions changes in Windows Server
- How to check who change folder access permissions
Native auditing becoming a little too much?
Simplify file server auditing and reporting with ADAudit Plus.
Download for Free