How to configure file and folder access auditing in Windows
Latest update: 12 December 2022
ID: 15924
File and folder access auditing may help you keep track the changes in files or folders. To configure file and folder access auditing, follow the steps below.
Step 1. Set audit events in the Local Group Policy Editor
- Press +R on the keyboard.
- Type gpedit.msc and click OK.
- Go to Computer configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies - Local Group Policy Object → Object Access.
- Double-click Audit Detailed File Share.
- Select the check boxes Configure the following audit events, Success, Failure and click ОК.
- Repeat the steps 4 and 5 for the Audit File Share and Audit File System subcategories.
The audit events will be configured.
Step 2. Configure folder access auditing in Advanced Security Settings
- Right-click the folder whose access auditing you want to configure, and select Properties.
- Go to the Security section and click Advanced.
- Go to the Auditing section and click Add.
- Tap Select a principal.
- Enter Everyone in the Enter the object name to select field and click ОК.
- Select the check boxes Full control, Modify, Read & execute, List folder contents, Read and Write. Click ОК.
Access auditing will be configured. Repeat these steps for all the folders for which you want to configure access auditing.
Step 3. Check the event log information of the folder for which auditing is configured
- Open Control Panel and go to System and Security → Administrative tools.
- Open Event viewer.
- Proceed to Windows logs → Security and select the event.
The event information will be displayed. You can find log event ID codes and their descriptions on the Microsoft's support website.