Auditing File and Folder Access

You can audit the access of files and folders on NTFS volumes to identify who took various types of actions with the files and folders and hold those users accountable for their actions.

To set auditing on a file or folder, use User Manager to enable auditing of File and Object Access, and then use Windows NT Explorer to specify which files to audit and which type of file access events to audit. To view audit entries, use the Event Viewer.

You can audit successful and failed attempts of the following types of directory and file access:

Types of directory access

Types of file access

Displaying names of files in the directory

Displaying the file's data

Displaying directory attributes

Displaying file attributes

Changing directory attributes

Displaying the file's owner and
permissions

Creating subdirectories and files

Changing the file

Going to the directory's subdirectories

Changing file attributes

Displaying the directory's owner and permissions

Running the file

Deleting the directory

Deleting the file

Changing directory permissions

Changing the file's permissions

Changing directory ownership

Changing the file's ownership


To audit the following activities on a directory, select the events shown.

To audit the following activities on a file, select the events shown.

Note

To audit files and directories, you must be logged on as a member of the Administrators group.