You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
Local Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.
|To apply or modify auditing policy settings for a local file or folder|
Open Windows Explorer.
Right-click the file or folder that you want to audit, click Properties, and then click the Security tab.
Click Edit, and then click Advanced.
If you are not logged on as a member of the Administrators group on this computer, you must provide administrative credentials to proceed.
In the Advanced Security Settings for <object> dialog box, click the Auditing tab.
Do one of the following:
- To set up auditing for a new user or group,
click Add. In Enter the object name to select, type
the name of the user or group that you want, and then click
- To remove auditing for an existing group or
user, click the group or user name, click Remove, click
OK, and then skip the rest of this procedure.
- To view or change auditing for an existing
group or user, click its name, and then click Edit.
- To set up auditing for a new user or group, click Add. In Enter the object name to select, type the name of the user or group that you want, and then click OK.
In the Apply onto box, click the location where you want auditing to take place.
In the Access box, indicate what actions you want to audit by selecting the appropriate check boxes:
- To audit successful events, select the
Successful check box.
- To stop auditing successful events, clear the
Successful check box.
- To audit unsuccessful events, select the
Failed check box.
- To stop auditing unsuccessful events, clear
the Failed check box.
- To stop auditing all events, click Clear
- To audit successful events, select the Successful check box.
If you want to prevent subsequent files and subfolders of the original object from inheriting these audit entries, select the Apply these auditing entries to objects and/or containers within this container only check box.
Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
- You must be logged on as a member of the
Administrators group or you must have been granted the Manage
auditing and security log right in Group Policy to perform this
- To open Windows Explorer, click Start,
point to All Programs, click Accessories, and then
click Windows Explorer.
- After object access auditing is enabled, view
the security log in Event Viewer to review the results of your
- You can set up file and folder auditing only
on NTFS drives.
- If you see either of the following, auditing
has been inherited from the parent folder:
- In the Auditing Entry for <File or
Folder> dialog box, in the Access box, the check
boxes are unavailable.
- In the Advanced Security Settings for
<File or Folder> dialog box, the Remove button is
- In the Auditing Entry for <File or Folder> dialog box, in the Access box, the check boxes are unavailable.
- Because the security log is limited in size,
select the files and folders to be audited carefully. Also,
consider the amount of disk space that you want to devote to the
security log. The maximum size for the security log is defined in