Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Andrzejek on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Looking for a way to track Access-list changes on folders
- Thread starter swabs
- Start date
Right-click on the shared folder
Click properties
Click on the security tab
Click the Advanced button
Click the Auditing tab
This is where you manage auditing on the shared resouce.
To learn more about Auditing click the "Learn more about auditing" link at the bottom of the Auditing tab.
I don't know sir...I guess its broke.
Click properties
Click on the security tab
Click the Advanced button
Click the Auditing tab
This is where you manage auditing on the shared resouce.
To learn more about Auditing click the "Learn more about auditing" link at the bottom of the Auditing tab.
I don't know sir...I guess its broke.
- Thread starter
- #3
Smeglor,
I appreciate the help. I have enabled auditing on the folder and set auditing for Domain Users = Change permissions. I can get the eventvwr to show the event below on a file ACL change. The problem is that it doesn't say which user was granted or removed from the ACL. The change was made by the user Administrator, but the change happened to user test3.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/14/2006
Time: 11:43:59 AM
User: ADTEST\administrator
Computer: TEST2K3
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\acl\test2.txt
Handle ID: 1428
Operation ID: {0,14552467}
Process ID: 3528
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: administrator
Primary Domain: ADTEST
Primary Logon ID: (0x0,0xD772D6)
Client User Name: administrator
Client Domain: ADTEST
Client Logon ID: (0x0,0xD772D6)
Accesses: READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACCESS_SYS_SEC
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
Restricted Sid Count: 0
Access Mask: 0x10E0000
For more information, see Help and Support Center at
I appreciate the help. I have enabled auditing on the folder and set auditing for Domain Users = Change permissions. I can get the eventvwr to show the event below on a file ACL change. The problem is that it doesn't say which user was granted or removed from the ACL. The change was made by the user Administrator, but the change happened to user test3.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/14/2006
Time: 11:43:59 AM
User: ADTEST\administrator
Computer: TEST2K3
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\acl\test2.txt
Handle ID: 1428
Operation ID: {0,14552467}
Process ID: 3528
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: administrator
Primary Domain: ADTEST
Primary Logon ID: (0x0,0xD772D6)
Client User Name: administrator
Client Domain: ADTEST
Client Logon ID: (0x0,0xD772D6)
Accesses: READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACCESS_SYS_SEC
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
Restricted Sid Count: 0
Access Mask: 0x10E0000
For more information, see Help and Support Center at
- Thread starter
- #4
I am getting closer.....
I have enabled auditing on a folder for "change permissions". I then created a new rule group in MOM and a new alert that looks for security event id 560. This will tell me when an ACL has changed. It lets me know the file and who made the ACL change. The one major part I can get it to do is to report back to me which user/group now has access or was removed from an ACL. Below the user that made the change was "Administrator" but the user that was given access was "adtest\test3" to the file c:\acl\test3.txt. Anyone know how to get the event to show this?
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\acl\test3.txt
Handle ID: 1628
Operation ID: {0,17659332}
Process ID: 1548
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: administrator
Primary Domain: ADTEST
Primary Logon ID: (0x0,0x10436)
Client User Name: administrator
Client Domain: ADTEST
Client Logon ID: (0x0,0x10436)
Accesses: READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACCESS_SYS_SEC
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
Restricted Sid Count: 0
Access Mask: 0x10E0000
I have enabled auditing on a folder for "change permissions". I then created a new rule group in MOM and a new alert that looks for security event id 560. This will tell me when an ACL has changed. It lets me know the file and who made the ACL change. The one major part I can get it to do is to report back to me which user/group now has access or was removed from an ACL. Below the user that made the change was "Administrator" but the user that was given access was "adtest\test3" to the file c:\acl\test3.txt. Anyone know how to get the event to show this?
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\acl\test3.txt
Handle ID: 1628
Operation ID: {0,17659332}
Process ID: 1548
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: administrator
Primary Domain: ADTEST
Primary Logon ID: (0x0,0x10436)
Client User Name: administrator
Client Domain: ADTEST
Client Logon ID: (0x0,0x10436)
Accesses: READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACCESS_SYS_SEC
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
Restricted Sid Count: 0
Access Mask: 0x10E0000
- Status
Similar threads
- Locked
- Question
