Share via

How to use Security Auditing to track which Computer has accessed a shared folder?

Anonymous
2024-09-30T02:19:44+00:00

Hi.

I recently followed this guide on a Microsoft Learn link: How can I check that who accessed my shared folder?

I have been able to implement this, and am now able to audit when a shared folder is being accessed by which Domain User.

I am now seeking to be able to get additional details on which Computer has accessed the folder, but I am having trouble finding where to be able to find or do this.

Seeking comments or assistance here.

Thanks.

Windows Server | Identity and access

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2024-09-30T15:03:14+00:00

    Hello Mr Cheese,

    Thank you for posting in Microsoft Community forum.

    To track which computer has accessed a shared folder using Security Auditing in Windows, you need to enable auditing on both the folder and on the system where the shared folder resides.

    Here are the steps:

    Step 1: Enable Object Auditing via Group Policy

    1. Press Win + R, type gpedit.msc, and press Enter to open the Local Group Policy Editor.
    2. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
    3. Double-click Audit Object Access.
    4. Check both Success and Failure options. Click Apply, then OK.

    Step 2: Enable Auditing on the Shared Folder

    1. Navigate to the folder you want to audit.
    2. Right-click the folder and select Properties.
    3. Go to the Security tab and click Advanced.
    4. In the Advanced Security Settings window, go to the Auditing tab and click Add.
    5. Click on Select a Principal and type Everyone. Click Check Names and then OK.
    6. In the Auditing Entry window, check the Successful and Failed boxes for the types of access you want to audit (e.g., Read, Write, etc.).
    7. Click OK, then Apply, and OK to close all dialog boxes.

    Step 3: View the Security Logs

    1. Press Win + R, type eventvwr.msc, and press Enter to open Event Viewer.
    2. Navigate to Windows Logs -> Security.
    3. Look for Event ID 4663 which indicates that an object (the folder) was accessed.
    4. Click on the event and review the details to see which user and computer accessed the folder.

    Notes:

    You need administrative privileges to perform these actions. Ensure that your system's event logging is adequately sized to handle potentially large numbers of events, especially if auditing multiple objects and types of access.

    If you are in a domain environment, you may need to modify Group Policy at the domain level rather than the local computer.

    You can check the name as below:

    I am not sure if it is server that shared the folder or the machine that the users access.

    4663(S) An attempt was made to access an object. - Windows 10 | Microsoft Learn

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest