Re: How do I monitor file access rights on Win2003?

Thanks, but that does not get me the result I would like to have. The
best entry I can see the looks like this (Sorry, but it is in German):

*********************************************************
Ereignistyp: Erfolgsüberw.
Ereignisquelle: Security
Ereigniskategorie: Objektzugriff
Ereigniskennung: 560
Datum: 19.05.2006
Zeit: 16:59:44
Benutzer: *DOMAIN\USER*
Computer: *HOSTNAME*
Beschreibung:
Geöffnetes Objekt:
Objektserver: Security
Objekttyp: File
Objektname: *FILENAME*
Handlekennung: 1680
Vorgangskennung: {0,78584807}
Prozesskennung: 3324
Abbilddateiname: C:\WINDOWS\explorer.exe
Primärer Benutzername: *USER*
Primäre Domäne: *DOMAIN*
Primäre Anmeldekennung: (0x0,0x.......)
Clientbenutzername: -
Clientdomäne: -
Clientanmeldekennung: -
Zugriffe: READ_CONTROL
WRITE_DAC
Attribute lesen

Rechte: -
Beschränkte SID-Anzahl: 0
Zugriffsmaske: 0x60080


Weitere Informationen über die Hilfe- und Supportdienste erhalten Sie
unter http://go.microsoft.com/fwlink/events.asp.
*********************************************************

So I know who wanted to change which file at which time.
Problem 1: I only get to know that the permission for changing
permission has been granted. I do not know if the permission actually
got changed. Not very good, but I colud live with that.
Problem 2: I do not know how the permissions got changed. Did the user
add another user/group? Did the user grant more permissions or did he
revoke some? I have no idea!

I tried to solve problem no. 2, but unfortunately that is not as
trivial as I first thought. If I try to scan the file right after the
rights have been changed I can see the new status of the rights. Since
I haven't figured out a way to see who changed the file, I have to
match it with the Event Log. This works fine in the beginning, but once
the Log reaches a certain size, it takes too long to scan it for the
matching entry. Especially if someone changed permissions on a folder
that includes many subfolders and files.

.

Relevant Pages

  • Re: quad
    ... themselves at the door and requesting permission to enter. ... The only forced entry I have known to occur have been by Customs and the ... Doors have locks, a locked door is my way of saying you are not invited to ... common courtesy and commonsence. ...
    (uk.business.agriculture)
  • Re: RogeBasin Articles
    ... and there, and adding a few small entries (my entry, Mersenne Twister, and a couple others). ... I'm going to start doing what a few people have talked about, but nobody has done yet: start moving useful rgrd threads to RogueBasin. ... Only a small handful of people who posted on that thread gave permission for the rgrd wiki project. ...
    (rec.games.roguelike.development)
  • Re: Slow NTFS Permission Application
    ... > add a new permission entry on the TOP folder ONLY. ... Would a command line tool behave better? ...
    (microsoft.public.windows.server.security)
  • Re: TV licensing have called but....
    ... people were one of the group who have a statutory right of entry. ... I heard the letterbox being used but by the time ... a TVLA inspector is intending to call at my ... premises without appointment or permission. ...
    (uk.legal)
  • Re: Problem sharing by computer name
    ... I would suggest you grant sharing by username. ... > added computer B with full control (it is the only entry ... you pick your user (you stated there was only 1 entry there) use the ... You might not have permission ...
    (microsoft.public.win2000.security)