Auditing file changes

  • Thread starter Thread starter Erik Schulp
  • Start date Start date
E

Erik Schulp

Hi all,

A client of ours, would like to know if it's possible to implement an
audit, which let's us track not only the time/dat a file was changed,
but also who changed it.

When right clicking on a file in the explorer and accessing it's
properties, not only creation date and last date/time it was changed
should showup in the dialog, but also the username who last edited it.

Is this possible via regular windows 2000 auditing policies, or are
supplemental tools/configuration changes necessary?

The clients on which this should work are W2K and XP PC's.


Met vriendelijke groet / Kind regards,

Erik Schulp
PractiCom Autmatisering

Zadelmakerstraat 10
5405 BR Uden
T 0413 332105
F 0413 332106
E (e-mail address removed)
W http://www.practicom.net/
 
You might want to have them check who is the owner of the file. If the file
was not created by a member of the administrators group then the user that
actually created the file will be the owner. The ownership "might" change
when the file is changed depending on how the application processes files.
If the change to the file creates a new file and deletes the old file then
you should see a new owner. If the application simply saves the file with
the changes then the owner will not change.

If that does not help then the other alternative is to enable auditing of
object access in Local Security Policy on the computer and enable auditing
on the folder or file they need to track. When enabling auditing of
folder/files you must audit only the bare number of folder/files, for the
bare number of permissions and for the bare number of users that you want to
track and avoid auditing for everyone and users. Then object access events
will be generated in the security log and LOTS of them which means the
security log size will need to be increased substantially to probably at
least 30MB. This is FAR from a friendly process even for those who are
experienced in viewing the logs. For this particular user auditing of only
write data, append data, and the two delete permissions would be what I
would start with. The free tool Event Comb from Microsoft can be helpful in
looking for specific data in the security log. For example it can search for
specific Event ID's and text strings for words such as delete, a user name,
or a file name. The links below may help and you may want to test out
auditing of a folder yourself just to see how challenging it can be to find
the relevant data from the security log. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://support.microsoft.com/default.aspx?scid=kb;en-us;824209
http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=45633
 
You would need to write some sort of custom shell extension,
and it would have terrible performance as it would need to
refer to extracts from the security event log where you had
caused events to be logged whenever the files were changed.
 
Back
Top