Audit when file/folder permissions change?

Hello,
We have an old Windows 2003 std server and someone keeps changing the permissions on a single file that is very important, can I audit who does this?
Thanks

Hi,
Firstly, please enable audit object access policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy in Local Group Policy Editor (if it is in a domain, please check it under the default domain
policy in Group Policy Manager) to a Security setting of Success.
Then you need to enable auditing on that file. Please open the file's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. In your case, you can check the
Change permissions permission in the "Auditing Entry for ..." page.
After that, you can check the security logs in event viewer once some changes the permissions on that file.
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Similar Messages

  • Does SyncToy 2.1 keep file/folder permissions?

    Does SyncToy 2.1 keep file/folder permissions?
    Thx,
    J

    Hi Texxxas,
    Apparently the problem is not with SyncToy, it is with Task Scheduler. If you have had Task Scheduler work for you in the past, then I don't have an answer for that. I have never been able to get Task Scheduler to work correctly with SyncToy and a NAS drive.
    I have found that for some reason it works with USB external HDD's but will not work with a network connected hard drive. The same bug exists in Win8.1 as well. However, I have since found a third party task scheduler that works perfectly with SyncToy and
    my NAS drive. It is called System Scheduler by Splinterware. The free version only works when you are logged in but they have a paid version that runs as a service and will execute without being logged in. This has solved my problem.

  • Sharing files among different user accounts -- file/folder permissions?

    I have two main user accounts that I switch between during the day (essentially a PERSONAL account and a WORK account). This allows me to keep separate Mail, iCal, etc -- as well as desktop applications and file organization. However, I am having some major issues with sharing data between the user accounts.
    WHAT I WANT: A local drop box for shared communal files between these two primary users. Seems simple enough, right?
    WHAT I DID: I created a subfolder in /Users/Shared/ called "COMMUNAL DROP BOX" and set the permissions to R/W for both my user accounts, and no access for the other accounts. However, when I copy files into this folder from my PERSONAL account -- it retains the file level permissions. For example, I grabbed some photos from my iPhone that I shot of a display for work -- I grabbed them off the phone and then dragged them into the drop box. They are in the shared folder, but the file perms are set to PERSONAL_ACCOUNT "Read & Write" and Everyone "No Access." There's no way I can continue to individually change every single file's permission -- how do I set it up to automatically match the folder, so that files like this are then readable by my work account?
    -Jason M.

    On my machine I've created a directory(folder) in the /Users directory called localshare. Since the directory can have just one owner, I've made root own the folder.
    sudo mkdir /Users/localshare
    Every user on my machine belongs to the group-Staff. I need to change the group class on the localshare directory that I've created.
    sudo chown :staff /Users/localshare
    As a reference, I changed the traditional permissions to reflect my desired results and lock down the permissions some.
    sudo chmod 770 /Users/localshare
    I have added an ACL on the localshare directory that allows the group staff to do anything within the directory- make file and directories, modify files that they do not owner, etc.
    sudo chmod +ai "staff allow list,addfile,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directoryinherit" /Users/localshare
    This works well for me with one issue. Files or folders must be copied to the localshare directory. They cannot be moved.
    Message was edited by: Mark Jalbert

  • Adobe PCD folder permissions change after launching CS5 programs

    There is a folder apparently important for Creative Suite
    5 licensing: C:\program files (x86)\common files\adobe\adobe pcd
    Unfortunately the default permissions after installing (either standard install or install from Adobe Enterprise Deployment tools) are:
    Everyone: Read
    Administrators: Full Control
    This presents a problem for using the software if your users are not local administrators.
    If you change the folder permissions to grant access to other users, than launch InDesign and/or Photoshop, the Adobe PCD permissions revert to their original settings.  I have verified that my permissions save fine by closing and reopening the folder permissions.  It's only after a CS5 program is launched that the permissions revert.
    How can I get the permissions to stay?  Until then I have to make people local admins, which is not good if they find out.  They will install all kinds of crapware and crappy legit software and break their computers further.
    Thanks,
    Josh G
    Portland, OR

    Hello Stu,
    We are running Windows 7 Enterprise 64 bit.  I don't think running this particular operating system is unique.
    The only other idea I have at the moment, besides having everyone be a local administrator, is to write a script that updates the folder permissions.  The tricky part is figuring out how often the script should run. I'm guessing that the script should run daily but I'm not sure that is frequent enough.  I suppose if the script ran hourly that wouldn't hurt anything.
    Josh

  • 2012 R2 DFS-R stops replicating content between members when folder permissions changed

    Hello,
    Since upgrading our DFS member servers (one is a physical DC, other is a VM dedicated to DFS role only) to 2012 R2 I keep getting caught in a weird replication problem. I finally found out when the problem starts, it's the change of Folder access permissions,
    e.g. removing or adding a user account or group and I don't get it why exactly contents of such folder end up completely mismatched between DFS member servers.
    To start from beginning, an example
    Both DFS servers have a dedicated NTFS volume Y: with only 1 folder in it named Folder1 which is shared and added as Folder target on both DFS member servers. Replication group exists for that Folder1 and data is in perfect sync. New/altered content is properly
    replicated to other members server in no time (<1s), everything works perfectly well.
    Now, Folder 1 contains a dozen sub-folders with permission inheritance enabled, data de-duplication is enabled as well as FSRM file screening to avoid temporary files, thumbs.db and other junk of that sort. Let's say Subfolder1 requires admin to change permissions
    so certain group of users get a read-only access to files stored inside while others can retain modification permission to put new files or so.
    The moment I do that change it triggers a problem with DFS-R and I end up with proper copy of that sub-folder on DFS1 (physical server acting as DC) and maybe around 5-10% of content on DFS2 ... why is that so that a simple permission change operation breaks
    the DFS-R every time? When that happens the DFS2 never gets those missing files, just like it didn't know it should have those.
    DFS Health Report shows file count mismatch and regular File Sharing Violations from some opened files, but there is no mention of why the darn DFS2 is missing 90% of files in certain sub-folders ... it's so annoying ...
    I found only 1 workaround for this problem so far, that is to manually pull out all files from affected sub-folder and get them out of shared Folder1 (simple cut and paste to new temporary folder on same volume works) on DFS1, so DFS2 clears that problematic
    Subfolder1, and then manually dropping the files back in place on DFS1, later all is good on both servers ... pretty weird if you ask me.
    I don't recall seeing this problem on "slow" 2008 R2 DFS-R ... Also I tested if maybe FSRM screening rules or data de-duplication has anything to do with problem, but they don't.
    Does anybody else see this behavior between 2012 R2 DFS members?

    interesting, seems the problem was with primary DFS member (the physical DC), it was simply not sending out updates to the partner, it was like that with all 2-way connections (all working one way from "secondary" to "primary" only).
    I googled a bit a found that backups (we have nightly on either member server) trigger a pause state on replication, officially it's harmless, but what if it doesn't always automatically resume?
    for now, from DFS Manager I removed all replication connections and checked if DFS2 still awaits some pending updates (sort of stuck on that), but it still did, so I had to disable its membership in all replication groups, that cleared that problem out.
    After that I re-enabled its membership and re-created all 2-way replications connections, of course it triggered complete refresh of all replicated folders (no preseeding this time), but thankfully it was quick and finished in a few hours.
    I also disabled backups on both servers for now, and all seems in sync except one folder where I think the problem was with incomplete replication database on "primary member" sort of being unaware of half of the files in folders - my workaround
    worked on that one, just pulled all folder out of it, waited until secondary deleted them, then put them all back in and all seems replicating correctly now, also no more ghost connections.
    Truly wondering what caused this madness over time, and mind you, all this setup was new, all was rebuilt on both servers (new logical volumes on both servers - one for each shared folder and replication group, new replication databases, new secondary member,
    proper preseeding procedure, etc.) and it seems like this event below might actually be sometimes not so harmless as Microsoft says it is:
    Event ID 5014The DFS Replication service is stopping communication with partner DFS1 for replication group domain.com\shared\folder due to an error.The service will retry the connection periodically. Additional Information: Error: 9036 (Paused for backup or restore)
    It looks like sometimes, it may happen that after that warning the replication starts working only 1-way and never truly resumes which then in return can cause madness after something like updating ACL on some folder in replication content.
    I re-enabled nightly backups on physical server ("primary" DFS member) for now and will keep an eye on it and potential havoc it can wreak across replication groups over time...
    Hope it helps anybody stumbling upon similar problem some day ...

  • Global reset of file / folder permissions on a USB Drive

    I just migrated to a new MB Pro. I now have an issue with file permissions on my USB drive that I use for Time Machine and some other external data. I understand (sort of) why the permissions are messed up, because you're forced to come up with a new user name when you migrate your data and applications. That being said, I just want to globally reset / update the permissions on my USB drive and it's data so that I'm the owner; and I can read and write. And I want to save all my data.
    I've started this process going from the "get information" screen, so I think I know how. But it's been running forever. Isn't there some type of universal setting for a drive or does it just need to crunch thru every single file and directory?

    Whatever you've done already it's the wrong thing to do. You cannot arbitrarily change permissions on every file on your backup using the Get Info window. The result will be a complete screwup of all the file permissions on your backup. You will manage to make a simple problem into an unsolvable one.
    Next time you should ask first before you act rather than after when you cannot go back. Since you did this to your TM backup drive about all you can do at this point is erase the drive and start your TM backups from scratch. Of course this doesn't resolve anything for whatever you tried to migrate to your new computer.
    If you migrated your old Home folder to the new computer then first be sure the account has admin status, then log into the account. You should then have full access to all your restored files. You can then delete the other user account.

  • Windows server 2008 R2 File& Folder Permissions; Ghost Permissions From "Parent Object" Assigned to Folder Owner

    Windows 2008 R2 file server: Subfolders of a particular folder have an account that has Full Control permission that are listed as inherited. That account has no permissions in the parent folder. It was, however the account that was used to copy the folders
    and their contents in there from another source and was the owner of the folder.
    In Advanced Permissions, it shows them as inherited from "Parent Object" as opposed to the folder name of the parent folder (there are some of these.) (The parent folder of the place where the problem occurs does not inherit from _its_ parent)
    I removed it as owner and yet the permissions remained. (as displayed either through the GUI or with ICACLS.)
    If I make _any_ edit in Advanced Permissions, the 'ghost' permissions then go away (e.g. add my account with full control - I'm domain admin, so have that anyway) This step seems like it should be unnecessary, but it is required in this situation.
    I've done this to 5 of about 20 subfolders and it is consistent. Folders which did not have the 'problem account' as their owner did not exhibit this characteristic.
    This affects the files within the subfolders as well.
    Oddly, adding an owner to a folder has the same effect and required the same edit before the permissions are seen. This was tested on a different drive on the same server.
    Is this an anomaly, a bug, or expected performance?

    Hi,
    Do you mean that there is an account that has Full Control permission that are listed as inherited but it doesn’t appear in the parent NFS permissions? If so, please try to uncheck the "Include inheritable permissions from this object's parent" checkbox,
    clicking Apply.
    There is a similar thread, please go through it to help troubleshoot this issue:
    NTFS: I have a user’s that's inherited from parent folder but it doesn’t appear in the Parent ACL
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/6061af36-4d44-4de8-8139-d71f06d59a2c/ntfs-i-have-a-users-thats-inherited-from-parent-folder-but-it-doesnt-appear-in-the-parent-acl?forum=winserversecurity
    Regards,
    Mandy
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Remove-Item & Program Files folder: permissions error

    I am attempting to use Remove-Item to delete a file in Program Files and getting a permissions error. But, I am a local admin, and I tried running the script as administrator. I have also tried -Force, to no avail. I hope I don't have to go back to the DOS
    kludge I used in VBScript.
    Any thoughts?
    Gordon

    Well, this is odd. I tried doing it in the ISE, super simple, just Remove-Item and the raw path. Errors. But I verified that the folder in question is set to read only. So in the ISE I added -Force. And it worked.
    So I went back to my code and added -Force back in. And it worked. I assume if I misspelled it or something I would get an error, and I can't imagine the order makes any difference. May be that midnight is just a bit late to be playing in this sandbox.
    EDIT: The plot thickens. I have another folder giving me grief, but this folder actually says in Explorer that I don't have permission to view the folders permissions. this is a lame leftover folder after a (typically incomplete) Windows uninstall. Is there
    perhaps a PowerShell way of taking ownership of a folder like this? In my VBScript version I actually used DOS commands to do the deletes, and they all worked. 
    Thanks!
    Gordon

  • Default File and Folder Permissions

    Hello everyone,
    Is there anyway to set a default file/folder permissions for a parent folder and then if any new files or folders get created within that folder that files use 0644 and folder use 0755? I'm running MAMP for a localhost test site to run Joomla CMS, I have the parent folder set to 0755 but when ever I install a new extension in to Joomla the files are not writable. Is there a way I can set the main parant plublic_html / www folder to work like this for new child files and folders?
    Thanks guys.

    Send Apple feedback. They won't answer, but at least will know there is a problem. If enough people send feedback, it may get the problem solved sooner.
    Feedback

  • File and folder permissions for Adobe Photoshop CS5

    Good day,
    I am an IT specialist and I work for a Canadian governement agency and we are having an issue with Photoshop CS5. After successfully installing Photoshop CS5 from the Adobe Creative Suite 5 Design Premium set(using a local machine administrator account), Photoshop crashes immidiatly after launching it(even with the local administrator account). The exact error message is as follows:
    The instruction at "0x230dad8dc" referenced memory at "0x00000000". The memory could not be "read".
    Click on OK to terminate the program
    Click on CANCEL to debug the program
    I know this is an environement issue and not an application or hardware issue since I was able to successfully install and run Adobe Photoshop CS5 on a plain vanilla install of Windows SP3 XP on the same model of workstation(HP DC7800). This later also confirms it is not a RAM or video adapter issue either. My experience tells me it would be more related to file/folder permissions on the workstation(although I'm open to other suggestions).  Because we are a governement agency, our workstations have machine and user policies and desktop configurations that get applied to the workstations automatically upon joining our domain via GPOs and SMS. Certain system files and folder permissions may be locked down for security reasons therefor I was wondering is someone has a list of files and folders that Adobe CS5 needs access to upon startup in order to properly function?
    If anyone would like more details or information please let me know and I'll try to be more specific.
    Thanks in advance to all who take the time to read and help out!

    I appreciate that you're trying to surmise what's different, and it's good that you have had success with similar/identical hardware.  At least you know it can work.
    However, I wouldn't bet just yet that it's a permissions issue.  I'd think you should get a specific error if a locked-down file needed to be accessed, not a null pointer crash.  The Photoshop installer should be setting up the proper permissions on its own files for it to run.
    Is it exactly the same video card as the other computer, on which Photoshop works?
    Are you sure the video drivers are up to date with the same version as on the other computer?
    At exactly what point during startup does the failure occur (i.e., is the splash screen showing, and what does the status line in the splash screen say it's doing)?
    -Noel

  • The format of Audit log file

    We have a perl script to extract data from Audit log files(Oracle Database 10g Release 10.2.0.1.0) which have format as bellow.
    Audit file /u03/oracle/admin/NIKKOU/adump/ora_5037.aud
    Oracle Database 10g Release 10.2.0.1.0 - Production
    ORACLE_HOME = /u01/app/oracle/product/10.2.0
    System name:     Linux
    Node name:     TOYDBSV01
    Release:     2.6.9-34.ELsmp
    Version:     #1 SMP Fri Feb 24 16:54:53 EST 2006
    Machine:     i686
    Instance name: NIKKOU
    Redo thread mounted by this instance: 1
    Oracle process number: 22
    Unix process pid: 5037, image: oracleNIKKOU@TOYDBSV01
    Sun Jul 27 03:06:34 2008
    ACTION : 'CONNECT'
    DATABASE USER: 'sys'
    PRIVILEGE : SYSDBA
    CLIENT USER: oracle
    CLIENT TERMINAL:
    STATUS: 0
    After we update the db from Release 10.2.0.1.0 to Release 10.2.0.4.0, the format of Audit log file had been changed to something likes below.
    Audit file /u03/oracle/admin/NIKKOU/adump/ora_1897.aud
    Oracle Database 10g Release 10.2.0.4.0 - Production
    ORACLE_HOME = /u01/app/oracle/product/10.2.0
    System name:     Linux
    Node name:     TOYDBSV01
    Release:     2.6.9-34.ELsmp
    Version:     #1 SMP Fri Feb 24 16:54:53 EST 2006
    Machine:     i686
    Instance name: NIKKOU
    Redo thread mounted by this instance: 1
    Oracle process number: 21
    Unix process pid: 1897, image: oracle@TOYDBSV01
    Tue Oct 14 10:30:29 2008
    LENGTH : '135'
    ACTION :[7] 'CONNECT'
    DATABASE USER:[3] 'SYS'
    PRIVILEGE :[6] 'SYSDBA'
    CLIENT USER:[0] ''
    CLIENT TERMINAL:[7] 'unknown'
    STATUS:[1] '0'
    Because we have to rewrite the perl script, could anyone tell us where we can find the manual to describe the format of the Audit log file.

    Oracle publishes views of the audit trail data. You can find a list of the views for the 11.1 database here:
    http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#BCGIICFE
    The audit trail does not really change between patchsets as that would constitute underlying structure changes and right now, the developers are not allowed to change the underlying structure of tables in patchsets. But, we can change what may be displayed in a column from patchset to patchset. For example, we are getting ready to update the comment$text field to display more information like dblinks and program names.
    I personally don't like overloading the comment$text field like that, but sometimes when you need the information, that is the only choice except to wait for the next major release :)
    As for the output of the audit log files, those can change between patchsets because of bugs that were found and some changes to support Audit Vault. My apologies out there for anyone that is reading the audit files written to the OS directly, I would recommend using the views.
    Hope that helps. Tammy

  • I have a white MacBook. I just changed out the hard drive with a 500GB. When I turn it on I get a file fold with a ? In the middle that flashes. What do I do next?

    I have a white MacBook and I just changed out the hard drive with a 500GB. When I turn it on I get a file fold with a ? In the middle that flashes. What do I do next?

    Clean Install of Snow Leopard
    Be sure to make a backup first because the following procedure will erase
    the drive and everything on it.
         1. Boot the computer using the Snow Leopard Installer Disc or the Disc 1 that came
             with your computer.  Insert the disc into the optical drive and restart the computer.
             After the chime press and hold down the  "C" key.  Release the key when you see
             a small spinning gear appear below the dark gray Apple logo.
         2. After the installer loads select your language and click on the Continue
             button. When the menu bar appears select Disk Utility from the Utilities menu.
             After DU loads select the hard drive entry from the left side list (mfgr.'s ID and drive
             size.)  Click on the Partition tab in the DU main window.  Set the number of
             partitions to one (1) from the Partitions drop down menu, click on Options button
             and select GUID, click on OK, then set the format type to MacOS Extended
             (Journaled, if supported), then click on the Apply button.
         3. When the formatting has completed quit DU and return to the installer.  Proceed
             with the OS X installation and follow the directions included with the installer.
         4. When the installation has completed your computer will Restart into the Setup
             Assistant. Be sure you configure your initial admin account with the exact same
             username and password that you used on your old drive. After you finish Setup
             Assistant will complete the installation after which you will be running a fresh
             install of OS X.  You can now begin the update process by opening Software
             Update and installing all recommended updates to bring your installation current.
    Download and install Mac OS X 10.6.8 Update Combo v1.1.

  • Keyboard not working (sometimes) when attempting to change file/folder name

    Every now and then, my keyboard doesn't seem to work when I'm trying to change the name of file or folder. I can't isolate any particular context when this occurs. When it happens, the keyboard works fine in other applications.
    Any ideas on why this happens?

    Here's a description of what happens. Let's say I want to change the name of a file or folder on my desktop. I click the item, then the name, and the name becomes editable. Every now and then, even though the file/folder name is in the edit mode (highlighted or cursor inserted), when I try to type nothing happens (the name doesn't change). When this occurs, the keyboard functions properly in all other ways.
    Again, I can't isolate the circumstances leading up to this. Any ideas?

  • Finder crashes when changing folder permissions

    When I try to change a folder's permissions via the Information window (Apple + i) the finder crashes reproducably.
    This is what I do:
    1.) select folder in finder and press apple + i
    2.) click the lock icon and enter Admin name and password
    3.) select "everyone" in name column
    4.) click on rights in the rights column
    5.) spinning ball, finder crashes and restarts
    According to http://docs.info.apple.com/article.html?path=Mac/10.5/en/8342.html
    steps 1 through 4 are exactly what should be done.
    Any other ideas?
    PS: I can remove users/groups via the +/- buttons but clicking the activity (is that the name?) button next to it leads to step 5.

    Then, I surmise that the problem's system-wide. For that, install the 10.5.5 COMBO update, repair permissions, and restart. If that doesn't fix things, you're looking at doing an Archive & Install installation. Details at http://support.apple.com/kb/HT1545

  • Task or script to monitor file ownership, permissions and change as needed

    I'm using a Mac OS X Tiger (10.4.9) computer as a file server for a group of people who are (1) individually non-administrative users and (2) members of Groups. The hard drive is partitioned into 2 volumes: Vol1 has no non-admin access, Vol2 has a Shared folder containing folders with files intended for either Public or Private access. I'm admin with UID=501 and trying not to be a danger. Each other user has a unique UID. Each Group has a unique GID. The folder that all users have access to is named Pub_shares. Every user allowed to access Pub_shares is a member of PubGroup (GID=505).
    Now when a user accesses a file nested in Pub_shares, that file usually becomes owned by that user and the group membership may change from PubGroup and may undergo a change to "Read only" or "No Access." Since all members of PubGroup should have Read & Write access to files in Pub_shares, this is a problem. All files in Pub_shares, regardless of who last touched them, should remain:
    Owner = chris / Access Read & Write
    Group = PubGroup / Access Read & Write
    Others = No Access
    I've read some about Ownership & Permissions. I've seen it suggested that an admin set up an automated task, say to run every 3 minutes; that task checks file ownership and permissions and, if different, changes the values recursively to those shown above, such that:
    Owner = 501 / Access = rwx
    Group = 505 / Access = rwx
    What do I need here? An Automator workflow? A shell script? AppleScript? Cron? launchd? How do I put this together? I don't know the syntax or the expressions to use. Any help is much much appreciated. [Note again: My "server" runs Tiger 10.4.9.] Thanks.

    ..."I have some Windows users (trying) to access shared files. Will the afp inheritance options stand up to a Windows user?"...
    No the afp inherit settings won't apply to windows sharing, but I think there are equivalent settings that can be applied to smb.
    ..."I thought, too, I'd read somewhere that inheritance options use the topmost volume folder to set inheritance patterns."...
    I am not able to double-check this for Tiger, but I don't think that is the case. As far as I know, with those settings enabled (and it doesn't work reliably if only one is enabled) permissions and ownership should be inherited from the folder that the items are added to.
    ..."My topmost folder on vol2 is "Shared" but it contains both Pub_shares (accessible by members of PubGroup) and a few Private_shares (folders accessible by members of various private groups)."...
    Sorry I missed that point in your earlier post. The above would cause complications if a user were to move items from the private area to the public area. The inheritance only applies to when files are created, so something moved from the private area to the public area would retain its original permissions. To make it work, the public and private areas would have to be set up as separate shares, rather sharing the whole volume.

Maybe you are looking for