How To Set, View, Change, or Remove Auditing for a File or Folder in Windows 2000 (301640)


The information in this article applies to:

  • Microsoft Windows 2000 Server
This article was previously published under Q301640

IN THIS TASK

SUMMARY

This step-by-step article provides information about how to set, view, change, or remove auditing for a file or folder in Microsoft Windows 2000.

back to the top

Setting, Viewing, or Removing Auditing for a File or Folder

To audit files and folders, you must be logged on as a member of the Administrators group or have been granted the Manage auditing and security log right in Group Policy. You can set file and folder auditing only on drives that are formatted to use NTFS. Because the security log is limited in size, carefully select the files and folders to be audited. Also consider the amount of disk space you are willing to devote to the security log. The maximum size is defined in Event Viewer.

To set, view, change, or remove auditing for a file or folder:
  1. Click Start, point to Programs, point to Accessories, and then click Windows Explorer. Locate the file or folder you want to audit.
  2. Right-click the file or folder, click Properties, and then click the Security tab.
  3. Click Advanced, and then click the Auditing tab.
  4. Use one of the following procedures:
    • To set up auditing for a new group or user, click Add. Type the name of the user you in the Name box, and then click OK.
    • To view or change auditing for an existing group or user, click the name, and then click View/Edit.
    • To remove auditing for an existing group or user, click the name, click Remove, and then skip steps 5 through 7.
  5. If necessary, in the Auditing Entry dialog box, select where you want auditing to take place in the Apply onto box. The Apply onto box is available only for folders.
  6. Under Access, click Successful, Failed, or both for each access you want to audit.
  7. If you want to prevent files and subfolders within the tree from inheriting these audit entries, click to select the Apply these auditing entries check box.
NOTE: If the check boxes under Access are unavailable in the Auditing Entry dialog box, or if the Remove button is unavailable in the Access Control Settings dialog box, auditing has been inherited from the parent folder.

back to the top

Troubleshooting

Before Windows 2000 can audit access to files and folders, you must use the Group Policy snap-in to enable the Audit Object Access setting in the Audit policy. If you do not, you receive an error message when you set up auditing for files and folders, and no files or folders will be audited. After auditing is enabled in Group Policy, view the security log in Event Viewer to review successful or failed attempts to access the audited files and folders.

back to the top
Modification Type:MinorLast Reviewed:7/15/2004
Keywords:kbhowto kbHOWTOmaster KB301640 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.