How to See Who Changed File Permissions in Windows Servers

How to See Who Changed File Permissions in Windows Servers

Finding Permission changes on File Servers

Tracking user rights changes on Windows Servers is important because these changes can lead to unauthorized access and ultimately data exfiltration. IT administrators, therefore, must track permission changes to know who changed a permission, to which user, and, when. You can easily do it by enabling object access auditing and configuring the particular files and folders for auditing of changes in permissions. After you have enabled permission change audit, you can view and investigate all permission changes in Event Viewer. In this article, we discuss in detail about the native way of tracking permission changes. 

Enabling Object Access Auditing

  1. Open Local Security Policy Go to Administrative Tools and open Local security policy.
  2. Enable Audit Object Access policy.  In Local Security Policy, click on Local Policies, and then click Audit Policy. A List of all Local Security Policies are displayed in the right pane. 
  3. In the policy list, double click Audit Object Access to open the Properties window. 
  4. Select Success and Failure checkboxes. Click Apply and then OK.

Tracking Changes made to Permissions

  1. Locate the folders whose permission changes have to be tracked. Right-click on it and select Properties from the context menu.
  2. In the Properties window, switch to the Security Tab Click on Advanced to access the advanced settings.
  3. In the Advanced Security Settings, go on to the Auditing tab and click on Add to add a new auditing entry.
  4. In the Auditing Entry for Project Files window, click on the Select a Principal link to select users for auditing.
  5. As a best practice, choose every user as a principal. You can do so by typing 'Everyone' in the text box and click on Check and then OK.
This takes you back to the Auditing Entry window.  In the Type drop-down menu, select All. In the Applies To menu, select This folder, subfolders and files to configure permission change auditing to all files and folders in the selected folder.
  1. In the Basic Permissions check-box, select the necessary permissions that you want to audit.
  2. Click on OK and close the window.
  3. Then, click on Apply and then, OK to close the Advanced Security Settings for Project Files window. 

Viewing Changes on Event Viewer

Once the permission change auditing has been configured to the required folders, subfolders, and files, the system will log the events whenever it detects a change in permissions. You can view these logs from the Event Viewer.
  1. Open Control panel and then head to Administrative Tools. Then, Click on Event Viewer.
  2. Open the event logs and go to Windows Logs, and select Security.
  3. Select the Filter Current Log option and find specific event logs from all the logs on the file server.
  4. Search for the event ID 4670 that corresponds to permission changes on an object.
  5. After you have found the events, double-click any event to view its properties in the Event Properties window. Here, you'll find all the details related to the event.

    • Related Articles

    • How to view NTFS effective permissions

      How to View NTFS Effective Permissions on Files and Folders What is NTFS? The New Technology File System, commonly abbreviated as NTFS, is the standard file system used in Windows NT and later versions of Windows operating systems. It is used to ...

    • PowerShell: Advanced Configuration of Windows Event Log File Size

      Managing the size and behavior of Windows Event Log files is crucial for system administrators. It ensures that logs are maintained within manageable sizes and are archived or overwritten according to specific needs. This tutorial provides an ...

    • Quickly Check Windows Server Uptime

      A system is only useful as long as it is up and running. Server administrators use a utility called "Windows Uptime" as a measurement to troubleshoot day-to-day issues that can arise in the Windows environment. A computer with a high downtime has ...

    • Dism Cleanup Image: Streamline Your Windows System

      If you're a Windows user, you may have encountered situations where your system starts to accumulate unnecessary files and consumes valuable disk space. These files can slow down your computer and affect its overall performance. However, there's a ...

    • Object permissions in Active Directory

      Permission in AD are privileges granted to users or groups to perform certain operations on objects. Permissions are usually granted by object owners or administrators. Users and groups are assigned permissions (to read, write, create child objects ...