I would like to audit certain files and folders on our file servers so I can setup a schedule task to send us emails when the permission get changed on two important folders we need to modify.

On both folders, I setup auditing for the everyone group and set it up so that it creates an event id of 4907  whe someone changes the permissions on the folder either by adding/removing groups or users as well as modify someones access rights.

After setting the auditing up on the folder, I added a few users to it and changed access rights but it did not register an event id of 4907 or any other type of event id.

I dug a bit deaper and the only time I will get notification in the event logs if something changed on the folder is if I add or remove someone from the auditing tab then it triggers the event id of 4907.

So what is the proper way of auditing a folder so that if someone changes the permissions on it, it will always log an entry in the event security log. Also what will the event id be.

Hi,

From following thread:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e432ffca-7de1-42a6-9b6c-19e15175a764/how-to-audit-changed-permissions-on-ntfs-folders-the-best-way?forum=winserversecurity

You should get events 560, 562 by checking the check-boxes for Change permissions both "successful" and "failed".

How are thing going? Please let us know if there is any progress.

Check audit tab in the folder Security > Advanced (at bottom).

You can use that and activate Audit for you folders. Check this link : http://technet.microsoft.com/en-us/library/cc784387(v=ws.10).aspx