question

Minyeong-3378 avatar image
0 Votes"
Minyeong-3378 asked Minyeong-3378 published

How can I check that who accessed my shared folder?

Hello.
I want to make central storage system in my office with Windows 10.
Me and my colleagues already use shared folder through Windows network.
We access each one's shared folder and read/delete file now.
We need to change this process and try to set the central storage system.
My question is, when I use a computer with Windows 10 as central storage system,
how can I check who accessed certain shared folder?

I set 'local security policy' - 'Audit' and checked log at 'Event viewer' - 'Windows Log' - 'Security'.
But, it seems that there is difference between log time and real operating time.

windows-10-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
0 Votes"
MotoX80 answered

In addition to setting the audit policy, on the files/folders you have enabled auditing on them too.

https://www.varonis.com/blog/windows-file-system-auditing?msclkid=dc056741d09511eca1378bacd14ae810

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered Minyeong-3378 published

Hello

Thank you for your question and reaching out.
I can understand you are having some issues \ queries related to know who has accessed shared folder.


Using Local Security Policy Editor, you can administer security settings on a workstation,The Audit Object Access policy in LSPE permits administrators to keep track of who views or modifies a file or folder. After enabling this policy on a computer, set up auditing on the appropriate file in order to see, via Event Viewer, who accessed it.

  1. From Run -> "secpol.msc" into the search field, and then press "Enter" to open Local Security Policy.


2.
Expand "Security Settings" and "Local Policies," and then click the "Audit Policy" folder.

3.
Double-click "Audit Object Access" in the right pane to open the Audit Object Access Properties dialog box.

4.
Check "Define These Policy Settings," check "Success," and then click "OK" to monitor file access.

5.
Press "Windows-E" to open File Explorer, navigate to the appropriate folder, right-click the target file and select "Properties" from the context menu, and then click "Security."

6.
Click the "Advanced" button, click the "Auditing" tab, and then click "Continue." Click the "Add" button, and then click the "Select a Principal" link.

7.
Type the name of a user or group into the available field, click "Check Names," and then click "OK."

8.
Select "Success" from the "Type" drop-down menu, select the appropriate permissions for the user or group, and then click "OK."

9.
Repeat Step 6 through 8 for each user or group, and then click "OK" to close each window.

Check File Access
1.
Press "Windows-W," type "event," and then select "View Event Logs" from the results.

2.
Expand "Windows Logs," and then click "Security." Select "Filter Current Log" from the left pane, and then enter "4663" (without quotes) into the "<All Event IDs>" field.

3.
Choose "Audit Success" from the "Keywords" drop-down menu, and then click "OK" to create the filter.

4.
Select the first item in the log, and then check the Object Name field on the General tab to see which file was accessed. Select the following item in the log until you find the appropriate event.

5.
Review the Subject field on the General tab to see which network user accessed the file last.




--If the reply is helpful, please Upvote and Accept as answer--

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello.
Thank you for your answer.


I can check that when my account delete file and there is no time gap between log time and real action time.
But, I can check the delete log only when my computer(main server) deletes file.
When my colleague tried to delete file which is in server, I couldn't find any log that my colleague did.

I set the name of group(Step no.7) as "Everyone".

Is there any problem? or Is there the thing that I missed?

0 Votes 0 ·