Is it possible to track down who or what changed a shared permission?

windows-server-2003

Today I received an email from one of my users asking why he couldn’t access his shared folder on one of our servers.

Example: \\servername\share\ = access denied.

When I checked the share permissions on the folder I was surprised to see that the user had been removed from the "shared permissions" list.

Now my question is: Is it possible to track who or what deleted the users share permissions on the folder?

I have studied the different event logs, but couldn’t find any indication of anyone who had changed the share permissions.

Kind Regards Martin


1)

Enable auditing in the local security policy on server servername. Select the Audit object access (success and failure) option in the audit policy.

cmd --> secpol.msc --> Local Policies ---> Audit Policy ---> Audit Object Access ---> change "Security Setting" from "no Auditing" to "Success, Failure"

There should be "Explain This Setting" tab for your reading

2)

Configure the SACL on the \servername\share. Specify auditing of the Full Control permission for Everyone.

Right-click on folder in Windows Explorer ---> choose Properties --> tab Security ---> btn "Advanced..." --> tab Auditing

The auditing logs: eventvwr.msc --> Security

Related

How to check is canonicalized domains are being used? Apache 301 redirect does not preserve referrer
Do admins mind exes being copied/installed to the users Application Data folder?
The "Italian sounding" issue
When is it okay to omit a determiner? (as in "Everything for baby")
What do you call a person who incessantly thinks only they are good enough to do something?
Acid vs. Acidic
Better way of saying "those who are curious"?
Modern use of "bourgeoisie"
How to use possessive apostrophe with words in quotation marks?
etymology of eavesdropping [closed]
What's the difference in meaning between "variation" and "alteration"?
Pit as a past tense verb