Monitor Fuile and Folder permissions
dear All, We need to monitor the permissions for the files and folders , is there something we can do with SCOM to get alerted if the permission of folder / file is changed. Thanks.
May 16th, 2011 3:57am

Hi, You can enable an audit on this folder and then create an alerting rule for an event with ID 4670 (Windows Server 2008\Vista and later) in a Security Eventlog. http://OpsMgr.ru/
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2011 4:10am

Does that require Configuring ACS, Do i have to create a monitor for every Folder , How will i discover folders.. Is there Any other way?
May 16th, 2011 6:51am

>Does that require Configuring ACS, No, it does not. >Do i have to create a monitor for every Folder , No, you don't (in most cases). >How will i discover folders... You do not need to discover the folder as the instance. I think it's an overkill. You should do that only if you have a specific requirements for that. >Is there Any other way? Technically speaking, yes there is a way to do it without an audit. But you'll end with a complex scripts. I do not think you want it. http://OpsMgr.ru/
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2011 7:13am

I Followed these Steps: http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/ecb34839-f3ee-4621-aab4-212691e5e5b5 To enable folder permission auditing, you can follow the below steps: 1. Click start and run "secpol.msc" without quotes. 2. Open the Local Policies\Audit Policy 3. Enable the Audit object access for "Success" and "Failure". 4. Go to Auto Hidden files and folders, right click the folder and select properties. 5. Go to Security Page and click Advanced. 6. Click Auditing and Edit. 7. Click add, type everyone in the Select User, Computer, or Group. 8. Choose Apply onto: This folder, subfolders and files. 9. Tick on the box “Change permissions” 10. Click OK. I ran Gpupdate (dont know if that was reuired) - I logged Off and then Logged Back on. I tried To chnage the permission of the Folder ... But unfortunately .. No Event ID 4670 Anything i am missing?
May 16th, 2011 8:27am

What OPerating System do you have? Windows Server 2008 R2?http://OpsMgr.ru/
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2011 9:41am

So what event DO you see when you change folder permissions? When building monitoring you need to do a little bit of learning and investigating about what is happening in the OS logs. It's much faster to just watch what security event is fired than it is to wait for someone on a public forum to try it and get back to you.Microsoft Corporation
May 16th, 2011 11:33am

Yes It is Win 2008 R2 , I do not see events that state anything like permission has been changed..
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2011 2:41am

>7. Click add, type everyone in the Select User, Computer, or Group. What do you selected at this step?http://OpsMgr.ru/
May 17th, 2011 2:46am

In addition, please also refer to the following methods: Monitoring File Access with SCOM http://opsmgrsolutions.wordpress.com/2010/02/02/monitoring-file-access-with-scom/ Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. Audit Other Policy Change Events http://technet.microsoft.com/en-us/library/dd772640(WS.10).aspx Hope this helps. Thanks. Nicholas Li - MSFT Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2011 4:16am

I had selected Everyone in there.
May 18th, 2011 4:51am

This looks great , Thaks Nicholas .. Will check it.
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2011 4:51am

I received the event :) , i guess i had forgotten to add Everyone to the share permission (Security permission was there but Share was not) Thanks
May 19th, 2011 4:29am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics