Auditing file and folder access
You can audit file and folder access on NTFS volumes to identify who took various types of actions with the files and folders.
When you audit a file or folder, an entry is written to the Event Viewer security log whenever the file or folder is accessed in a certain way. You specify which files and folders to audit, whose actions to audit, and what types of actions are audited.
To set auditing on a file or folder, use Group Policy to enable auditing, and then use Windows Explorer to specify which files to audit and which type of file access events to audit.
You can audit successful and failed attempts of the following types of directory and file access:
| Types of directory access | Types of file access |
Displaying names of files in the directory | Displaying the file's data |
Displaying directory attributes | Displaying file attributes |
Changing directory attributes | Displaying the file's owner and permissions |
Creating subdirectories and files | Changing the file |
Going to the directory's subdirectories | Changing file attributes |
Displaying the directory's owner and permissions | Running the file |
Deleting the directory | Deleting the file |
Changing directory permissions | Changing the file's permissions |
Changing directory ownership | Changing the file's ownership |
Note
| • | To audit files and directories, you must be logged on as a member of the Administrators group. |
For more information, see:
Related Topics
| • |