How to determine who changed permissions on a directory?

I need to be able to determine with certainty who made a change to a
directory, and what the change was.

Here is the situation: I have some directories where the permissions were
changed, causing all kinds of problems until they were fixed back to their
correct settings. I am pretty confident that I know what directory,
approximately what time, and who - I just need to be able to prove it.

We do have auditing turned on with these settings:
Audit Account Logon events - Success, Failure
Audit Account Management - Failure
Audit Directory Service Access - Failure
Audit Logon Events - Failure
Audit Object Access - Success, Failure
Audit Policy Change - Success, Failure
Audit Privilege Use - Success, Failure
Audit Process Tracking - Failure
Audit System Events - Success, Failure

I've done some playing around with creating directories, changing
permissions, etc. and then looking to see what was logged. I do have Event
ID 560, 567 and 576 events logged when I do these sorts of things. But I
can't say I fully understand what is in the event. I was hoping for
something like "User Joe added Group OfficeParty to G:\ABC with
Read-Write-Delete permissions", but the events are little more cryptic than
that.

So let's say I had a directory and deleted user XYZ and group ABC from the
ACL - is there a way I can tell that this was done (and specifically tell
that user XYZ was deleted, not just that some object was deleted)?

Let's say I had a directory and added a user with List Folder and Write
permissions (not Read) - what would the pattern be for that?

These are pretty much always going to be done by somebody right-clicking on
a network shared folder, going to the security tab, and then adding or
removing users or groups there.

Is there a way to replace one ACL with another, so that some IDs that had
access before no longer have it, but there was never a DELETE object event
logged?

The server in question is Windows 2003 SP1.

I have been using Event Comb MT, and I do have a saved copy of the Security
Event Log that covers the time period in question.

For example, I have an event like this. How can I tell what exactly user
JoeSchmoe did on the G:\ABC\Junk directory on Server1?

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 9/13/2007
Time: 9:51:38 PM
User: MYDOMAIN\JoeSchmoe
Computer: SERVER1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: G:\ABC\Junk
Handle ID: 18852
Operation ID: {0,329353281}
Process ID: 4
Image File Name:
Primary User Name: SERVER1$
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: JoeSchmoe
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x138FB0D5)
Accesses: READ_CONTROL
ReadAttributes

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20080

Or similarly for this one:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 567
Date: 9/13/2007
Time: 9:51:38 PM
User: MYDOMAIN\JoeSchmoe
Computer: SERVER1
Description:
Object Access Attempt:
Object Server: Security
Handle ID: 18852
Object Type: File
Process ID: 4
Image File Name:
Accesses: WRITE_DAC

Access Mask: 0x40000

Any help would be appreciated - Thanks!
.

Relevant Pages
Quantcast