Windows Server Cookbook for Windows Server 2003 and Windows 2000

Recipe 4.18. Finding Who Last Opened or Modified a File

Problem

You want to find who last opened or modified a file.

Solution

To find who last opened or modified a file, you have to enable auditing on that file. To enable auditing, you have to enable auditing at the server level and then enable auditing on the particular object (in this case, a file) in which you are interested.

Using a graphical user interface

Do the following to enable auditing at the server level:

  1. From the Administrative Tools, open the Local Security Policy snap-in.

  2. In the left pane, expand Local Policy and click on Audit Policy.

  3. In the right pane, double-click Audit object access.

  4. Check the boxes beside Success or Failure (as needed).

  5. Click OK.

Now you need to enable auditing on the target file(s) or folder(s):

  1. Open Windows Explorer.

  2. In the left pane, browse to the parent folder of the file or folder on which you want to enable auditing. Click on the parent folder. This displays the list of sub-folders and files in the right pane.

  3. In the right pane, right-click on the target file or folder and select Properties.

  4. Select the Security tab.

  5. Click the Advanced button.

  6. Select the Auditing tab.

  7. Click the Add button.

  8. Enter the user or group you want to audit access for (use the Everyone principal to audit all access) and click OK.

  9. In the Auditing Entry dialog box, select the types of access you want to audit. You have to select Success events separately from Failure events. Click OK when you are done.

  10. Click Apply.

Using a command-line interface

Use the auditpol.exe command to enable auditing at the server level:

> auditpol \\<ServerName> /enable /object:all

Microsoft doesn't provide a tool to configure the audit settings of files. However, you can do this with the setacl.exe tool. It is available for download from SourceForge at http://setacl.sourceforge.net/. Here is an example of setting an audit entry on the file d:\myimportantfile.txt for all failed access attempts by the Everyone principal:

> setacl -on "d:\myimportantfile.txt" -ot file -actn ace -ace "n:everyone;p:full;m: aud_fail;w:sacl"

Discussion

Be careful when enabling auditing on a frequently accessed set of files or folders. The number of audit messages in the Security event log can grow quickly with just a few accesses of the file. Monitor the Security event log closely after initially enabling auditing just to make sure you don't flood it.

See Also

Recipe 11.1

Related

Категории