Overview
You are interested in tracking activity for every time a user opens, modifies, or deletes a file from a selected location.
Information
It is possible to configure file auditing on the machines a user has access to so that EventsManager can collect such Windows events.
Enabling the object access auditing policy
- Enabling auditing policy on the local machine:
- Open the Local Security Policy Configuration by choosing Start > Settings > Control Panel > Administrative Tools > Local Security Policy.
- Expand Local Policies > Audit Policy and open the 'Audit object access' properties.
- Enable the 'Success' and 'Failure' checkboxes depending on the kind of auditing you want to have.
- Opening object access auditing configuration for a group policy:
- Choose Start > Run > mmc.
- Choose File > Add/Remove Snap-in.
- Click on the Add button, select 'Group Policy Object Editor' from the list and click on Add.
- Choose the group policy you want to configure auditing for, then click Finish.
- Click Close.
- In the Group Policy Object Editor, expand Computer Configuration.
- Expand Windows Settings > Security Settings > Local Policies.
- Click Audit Policy and open the 'Audit object access' properties.
- Enable the 'Success' and 'Failure' checkboxes depending on the kind of auditing you want to have.
- Note: In a domain environment, it is recommended to use Group Policies to enable Object Access Audit settings.
Enabling auditing on the file, folders or registry keys you need to monitor
- Enabling auditing for a file/folder:
- In Windows Explorer, browse to the file/folder you want to enable Object Access auditing on.
- Right-click on the file/folder and choose Properties.
- Go to the Security tab.
- From the dialog box opened above, click on the Advanced button.
- Go to the Auditing tab and click on the Add button.
- Enter the users/groups you want to configure auditing for and click OK. To enable auditing for all users, you can select the "Everyone" Group.
- Select the kind of access you want to audit and click OK.
- Repeat steps 2 to 7 to add other users/groups.
- Enabling auditing for a registry key:
- Open Regedit (Start > Run > Type
Regedit
and press Enter). - Select the registry key that you want to enable auditing on.
- Right-click on the key and select Permissions.
- From the dialog box opened above, click on the Advanced button.
- Go to the Auditing tab and click on the Add button.
- Enter the users/groups you want to configure auditing for and click OK. To enable auditing for all the users, you can select the "Everyone" Group.
- Select the kind of access you want to audit and click OK.
- Repeat steps 2 to 7 to add other users/groups.
- Open Regedit (Start > Run > Type
Related Articles
Apply or modify auditing policy settings for an object using Group Policy
Apply or modify auditing policy settings for a local file or folder