How to Audit Permission Changes on File Servers

Easily audit permissions changes with Lepide File Server Auditor
Or Deploy With Our Virtual Appliance
5 min read | Updated On - December 21, 2023
In This Article

Auditing changes to permissions on a file server is important for several reasons. First and foremost, it helps to ensure the security of sensitive data by detecting any unauthorized changes made to file permissions. By regularly auditing changes to permissions, system administrators can identify any suspicious activity and take corrective action to prevent data breaches or other security incidents.

Additionally, auditing changes to file server permissions can help to maintain compliance with regulatory requirements, such as those governing data privacy and protection. By demonstrating that changes to permissions are being audited and appropriate access controls are in place, organizations can avoid costly fines and legal penalties.

Furthermore, auditing changes to permissions can help to improve accountability and transparency within an organization. By keeping a record of all changes made to file permissions, system administrators can track who made the changes and when which can be useful for troubleshooting or investigating security incidents.

Overall, auditing changes to permissions on file servers is a critical component of any organization’s data security strategy, helping to protect sensitive data, maintain compliance, and improve accountability and transparency.

In this article, we will show you how to audit File server permissions using event logs and by using Lepide File Server Auditor.

Steps to Audit Permission Changes on File Servers using Event Logs

Follow below given steps to enable auditing and track related events in Event Viewer:

Step 1: Open Local Security Policy

Go to “Administrative Tools” and open “Local security policy”.

Local Security Policy
Figure 1: Local Security Policy

Step 2: Enable Audit Object Access policy.

In “Local Security Policy”, click “Local Policies”, and click “Audit Policy”. List of all Local Security Policies is displayed in the right pane.

Local Security Policy
Figure 2: Local Security Policies

In the policy list, double click “Audit object access” to open “Properties” window.

Audit Object Access Properties
Figure 3: Audit Object Access Properties

Select “Success” and “Failure” checkboxes. Click “Apply” and “OK”.

Step 3: Track permission changes

Next, locate the folders whose permission changes have to be tracked. Right-click on it and select “Properties” from the context menu. In “Properties” window, switch to “Security Tab”.

Properties Window
Figure 4: Properties Window

Click “Advanced” to access the advanced settings

Step 4: Add a new auditing entry

In “Advanced Security Settings”, go to “Auditing” tab.

Add a new audit entry
Figure 5: Add a new audit entry

Click “Add” to add a new auditing entry. “Auditing entry… ” window appears on the screen.

Add a new audit entry
Figure 6: Add a new Audit Entry

Enter the following information in this dialog box:

Principal: Click on “Select a Principal” link to select users for auditing. You can also select “Everyone”, for that type “Everyone” in the text box and click “Check

Select user... window
Figure 7: Select user

Click “OK”. It takes you back to “Auditing Entry” window.

creating auditing entry
Figure 8: Creating auditing entry

Type: In “Type” drop-down menu, select “Success”, “Fail” or “All” as per requirement. It is recommended to audit “All” changes.

Applies To: Select “This folder, subfolders and files” to apply this auditing to all files and folders in the selected folder.

Basic Permissions: Select the permissions that you want to audit.

Add a condition: Click “Add a condition” to narrow the scope of auditing, this ensures that you have limited events logs to search. You can add multiple conditions if you want.

Click “OK” to close the window.

Click “Apply” and “OK” to close the “Advanced Security Settings…” window. Click “OK” to close the folder’s “Properties”.

Step 5: View changes in Event Viewer

After you have enabled the auditing, the events will be logged in the system whenever a change in permissions of that folder is detected. To view the logs, go to Control panel → Administrative Tools → Event viewer. Now open the event logs and go to “Windows Logs”, and select “Security”. All the events in this category are displayed in the middle pane.

Windows Event Viewer
Figure 9: Windows Event Viewer

Step 6: Search for the Event ID 4670

On the right side, select the “Filter current log…” option. From this option, you can easily add filters to find specific event logs from all the logs on the file server. Search for the Event ID 4670 that corresponds to permission changes on an object.

After you have found the events, double-click any event to view its properties in the “Event Properties” window. Here, you find all the details related to the event.

event properties window
Figure 10: Event properties window

How Lepide File Server Auditor Tracks Permission Changes

Lepide File Server Auditor gives you an easy way to detect, monitor, and report on file server permission changes.

Just select the report from the list of pre-defined reports, specify a date range whose report you want, and click the “Generate” button.

all Permission modification report - screenshot
Figure 11: Permission modification report

This report gives the following information.

  • What – Permission that was changed.
  • When – When it was changed.
  • Who – Who changed the permission.
  • Object Name – File or folder, whose permission was changed.
  • Object Path – The location of the object.
  • Operation – What was exact operation, what was changed
  • Process Name – process name
  • From – From which computer the permission was changed.

With Permission Changes Report, Lepide’s File Server audit solution comes inbuilt with Historical Permission Analysis (that shows changes in permissions of shared files and folders) and Current Permission Report (that shows current effective permissions of shared files and folders).


This article shows the way to audit permission changes in File Server using the native method. In the end, the article also shows the process to achieve the next-gen level of auditing through an even easier method which is through Lepide File Server Auditor. Such reports will not only help you in meeting compliance requirements but will also help you in keeping your enterprise boundary secure.

Check out our Lepide File Server Auditor
Or Deploy With Our Virtual Appliance
Learn More...

Easily audit permissions changes with Lepide File Server Auditor

Or Deploy With Our Virtual Appliance
Learn More...