I noticed that on weekend the user/group permission was revoked in few folder under data drive in windows server 2019. Is there any option or event id to find that who removed the access? is it manual or GPO?

Thulasirajan Gopal (NCS) 0 Reputation points
2023-11-16T08:54:55.0266667+00:00

In my lab environment, I noticed that on weekend the user/group permission was revoked in few folder under D drive in windows server 2019. Is there any option or event id to find that who removed the access? is it manual or GPO or any? will it be remove by automatic?

I already checked the event id 4670 and below details found but it is not enough to confirm because there is no account id in it.

Permission on an object were changed.

Subject:

Security id: System

Object:

Obeject server: Security

Object Type: Token

Process:

Process Name: C:\windows\system32\svchost.exe

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,762 questions
0 comments No comments
{count} votes