You can audit the access of files and folders on NTFS volumes to identify who took various types of actions with the files and folders and hold those users accountable for their actions.
To set auditing on a file or folder, use User Manager to enable auditing of File and Object Access, and then use Windows NT Explorer to specify which files to audit and which type of file access events to audit. To view audit entries, use the Event Viewer.
You can audit successful and failed attempts of the following types of directory and file access:
Types of directory access | Types of file access |
Displaying names of files in the directory | Displaying the file's data |
Displaying directory attributes | Displaying file attributes |
Changing directory attributes | Displaying the file's owner and |
Creating subdirectories and files | Changing the file |
Going to the directory's subdirectories | Changing file attributes |
Displaying the directory's owner and permissions | Running the file |
Deleting the directory | Deleting the file |
Changing directory permissions | Changing the file's permissions |
Changing directory ownership | Changing the file's ownership |
To audit the following activities on a directory, select the events shown.
To audit the following activities on a file, select the events shown.
Note
To audit files and directories, you must be logged on as a member of the Administrators group.