ProblemYou want to find out who opened or modified a file last. SolutionTo find who opened or modified a file last, you have to enable auditing on that file. To enable auditing, you have to enable auditing at the system level and then enable auditing on the particular object (in this case a file) in which you are interested. Using a graphical user interfaceDo the following to enable auditing at the system level:
Now you need to enable auditing on the target file(s) or folder(s):
Using a command-line interfaceUse the auditpol command to enable auditing at the system level: > auditpol \\<ComputerName> /enable /object:all Microsoft doesn't provide a tool to configure the audit settings of files. However, you can do this with the setacl.exe tool. It is available for download from SourceForge at http://setacl.sourceforge.net/. Here is an example of setting an audit entry on the file d:\myimportantfile.txt for all failed access attempts by the Everyone principal: > setacl -on "d:\myimportantfile.txt" -ot file -actn ace -ace "n:everyone;p:full;m:aud_fail;w:sacl" DiscussionBe careful when enabling auditing on a frequently accessed set of files or folders. The number of audit messages in the Security event log can grow quickly with just a few accesses of the file. Monitor the Security event log closely after initially enabling auditing just to make sure you don't flood it. See AlsoRecipe 17.2 for more on auditing |