Auditing Access to Files

To audit access to files, you must perform two tasks:

  • 1.) Enable the Audit Policy called "Audit Object Access".

  • 2.) Enable auditing on the individual files and folders you wish to audit.

Both of these procedures are outlined below.

To enable the "Audit Object Access" policy, do the following:
(Note: this procedure shows how to setup Auditing using "Local Security Policy". If your computer is a member of a domain, you can perform the same tasks using Group Policy. Be aware that Group Policy settings will override Local Policy Settings).

1.) Click on "Start" -> "Programs" -> "Administrative Tools" -> "Local Security Policy".

2.) Navigate to "Audit Policy" in the left pane.

audit Policy

3.) In the left pane of "Local Security Settings" window, double click on the "Audit Object Access" entry.

4.) Click on the "Success" and "Failure" checkboxes to enable auditing for files.

Audit Success

5.) Click on the OK Button.

To enable auditing of an individual file or folder, do the following:

1.) Right click on the file in Explorer, and choose "Properties", as shown in the figure.

File Properties

2.) Click on the Security tab, and then click on the "Advanced" button as shown in the figure. If you don't have a Security tab, your are probably not using NTFS. If so, it is strongly recommended that you upgrade to NTFS (using the convert /FS:NTFS command) so that you can use file permissions.


3.) Click on the "Auditing" tab, and then click on the "Add" button, as shown in the figure.

File Access Control

4.) Double click on the "Everyone" group.

Audit Everyone

5.) Click on the actions you wish to Audit, and then click on "OK".

Select who to Audit