How to Audit Permission Changes on File Servers

Download Lepide File Server Auditor
Or Deploy With Our Virtual Appliance
In This Article

Tracking File Server permission changes is important as these changes can lead to unauthorized access and ultimately data leakage. IT security in charge, therefore, must track permission changes to know who changed a permission when. You can easily do it by enabling object access auditing and configuring the particular files and folders for auditing of changes in permissions. After you have enabled permission change audit, you can view and investigate all permission changes in Event Viewer. In this article, the native way of tracking permission changes will be shown. An easy way of doing it by using Lepide File Server Auditor is also included.

Steps to Track Permission Changes on File Servers with Native Auditing

Follow below given steps to enable auditing and track related events in Event Viewer:

Step 1: Open Local Security Policy

Go to “Administrative Tools” and open “Local security policy”.

Figure 1: Local Security Policy

Step 2: Enable Audit Object Access policy.

In “Local Security Policy”, click “Local Policies”, and click “Audit Policy”. List of all Local Security Policies is displayed in the right pane.

Figure 2: Local Security Policies

In the policy list, double click “Audit object access” to open “Properties” window.

Figure 3: Audit Object Access Properties

Select “Success” and “Failure” checkboxes. Click “Apply” and “OK”.

Step 3: Track permission changes

Next, locate the folders whose permission changes have to be tracked. Right-click on it and select “Properties” from the context menu. In “Properties” window, switch to “Security Tab”.

Figure 4: Properties Window

Click “Advanced” to access the advanced settings

Step 4: Add a new auditing entry

In “Advanced Security Settings”, go to “Auditing” tab.

Figure 5: Add a new audit entry

Click “Add” to add a new auditing entry. “Auditing entry… ” window appears on the screen.

Figure 6: Add a new Audit Entry

Enter the following information in this dialog box:

Principal: Click on “Select a Principal” link to select users for auditing. You can also select “Everyone”, for that type “Everyone” in the text box and click “Check

Figure 7: Select user

Click “OK”. It takes you back to “Auditing Entry” window.

Figure 8: Creating auditing entry

Type: In “Type” drop-down menu, select “Success”, “Fail” or “All” as per requirement. It is recommended to audit “All” changes.

Applies To: Select “This folder, subfolders and files” to apply this auditing to all files and folders in the selected folder.

Basic Permissions: Select the permissions that you want to audit.

Add a condition: Click “Add a condition” to narrow the scope of auditing, this ensures that you have limited events logs to search. You can add multiple conditions if you want.

Click “OK” to close the window.

Click “Apply” and “OK” to close “Advanced Security Settings…” window. Click “OK” to close folder’s “Properties”.

Step 5: View changes in Event Viewer

After you have enabled the auditing, the events will be logged in the system whenever a change in permissions of that folder is detected. To view the logs, go to Control panel → Administrative Tools → Event viewer. Now open the event logs and go to “Windows Logs”, and select “Security”. All the events in this category are displayed in the middle pane.

Figure 9: Windows Event Viewer

Step 6: View the relevant events

On the right side, select “Filter current log…” option. From this option, you can easily add filters to find specific event logs from all the logs on the file server. Search for the event ID 4670 that corresponds to permission changes on an object.

After you have found the events, double-click any event to view its properties in “Event Properties” window. Here, you find all the details related to the event.

Figure 10: Event properties window

How Lepide File Server Auditor Tracks Permission Changes

Lepide File Server Auditor (part of Lepide Data Security Platform) gives you an easy way to detect, monitor, and report on file server permission changes.

Just select the report from the list of pre-defined reports, specify a date range whose report you want, and click “Generate” button.

Permission modification report
Figure 11: Permission modification report

This report gives the following information.

  • What – Permission that was changed.
  • When – When it was changed.
  • Who – Who changed the permission.
  • Object Name – File or folder, whose permission was changed.
  • Object Path – The location of the object.
  • Operation – What was exact operation, what was changed
  • Process Name – process name
  • From – From which computer the permission was changed.

With Permission Changes Report, Lepide’s File Server audit solution comes inbuilt with Historical Permission Analysis (that shows changes in permissions of shared files and folders) and Current Permission Report (that shows current effective permissions of shared files and folders).


This article shows the way to audit permission changes in File Server using the native method. In the end, the article also shows the process to achieve the next-gen level of auditing through an even easier method that is through Lepide File Server Auditor. Such reports will not only help you in meeting compliance requirements, but will also help you in keeping your enterprise boundary secure.

Download Lepide File Server Auditor

Or Deploy With Our Virtual Appliance