Today I received an email from one of my users asking why he couldn’t access his shared folder on one of our servers.
Example: \\servername\share\ = access denied.
When I checked the share permissions on the folder I was surprised to see that the user had been removed from the "shared permissions" list.
Now my question is: Is it possible to track who or what deleted the users share permissions on the folder?
I have studied the different event logs, but couldn’t find any indication of anyone who had changed the share permissions.
Kind Regards Martin
1)
Enable auditing in the local security policy on server servername. Select the Audit object access (success and failure) option in the audit policy.
cmd --> secpol.msc --> Local Policies ---> Audit Policy ---> Audit Object Access ---> change "Security Setting" from "no Auditing" to "Success, Failure"
There should be "Explain This Setting" tab for your reading
2)
Configure the SACL on the \servername\share. Specify auditing of the Full Control permission for Everyone.
Right-click on folder in Windows Explorer ---> choose Properties --> tab Security ---> btn "Advanced..." --> tab Auditing
The auditing logs: eventvwr.msc --> Security
I suspect that changing share permissions is a use of a privilege. You can turn on privilege usage auditing.