You would have to enable auditing of object access on the computer and then
enable auditing of change permissions for the folder. Then look for object
access Event ID 560 in the security log for the name of the folder as
"object name" and accesses that include WRITE_DAC . It will not show what
group was added but will show the name of the users that changed permissions
to the folder. See below as an example that I just did on my computer. You
can use the free Event Comb from Microsoft to help search for events by
searching for specific events and text strings such as the name of the
folder or access level such as WRITE_DAC . --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --- Event
Comb info
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 1/10/2006
Time: 11:13:03 AM
User: STEVE-XP\Steve <<<<<<<<<<<<<<
Computer: STEVE-XP
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\CanoScan <<<<<<<<<<<<<<
Handle ID: 1736
Operation ID: {0,1144221}
Process ID: 1440
Image File Name: D:\WINDOWS\explorer.exe
Primary User Name: Steve
Primary Domain: STEVE-XP
Primary Logon ID: (0x0,0xD504)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
WRITE_DAC <<<<<<<<<<<<<<<<
ReadAttributes
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
