How to Configure File\Folder Access Auditing in Windows Server!

In this article we have been configuring file access auditing so that events are logged every time a specified user or group successfully accesses or attempts and fails to access a specified file or folder.

We want to enable the “Audit File System” policy which can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Security Policy Configuration > Audit Policies > Object Access.

From within this policy we can optionally enable it by selecting the check box shown below. We also then have the option of auditing either success or failure events, or both.

This policy will enable auditing of the file system to the computer that it has been applied to, we need to actually enable auditing on a per file or folder basis. Right clicking a file or folder >> select properties >> security tab.

Next click advanced, and from the advanced security settings window that opens, select the auditing tab.

We can now define a user or group that should be audited when they attempt to access this specific folder or file for either success, failure, or both event types.

We can also audit for folder of file deletion by configuring advanced permissions >> select the Delete options. This will generate event for users deleted a specific folder and files.

File Access Auditing Example

n this example I’ve configured a ‘test’ folder on the desktop of the administrator user. Every time any user successfully accesses this folder we want to know about it.

Now if we open the folder which we have access to, the following event has been logged in the security event logs with event ID 4663.

Conclusion

We have shown you how to configure file access auditing in Windows Server 2012 by first enabling the appropriate group policy setting, and then by configuring the auditing on a specific file or folder.