How to Detect Who Changed a File or Folder Owner


Native Auditing vs. Netwrix Auditor for Windows File Servers

Native Auditing Netwrix Auditor for Windows File Servers
Steps
  1. Navigate to the required file share, right-click it and select "Properties" Select the "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button:
    • Select Principal: "Everyone"; Select Type: "All"; Select Applies to: "This folder, subfolders and files"; Select the following "Advanced Permissions": "Change permissions and "Take ownership".
  2. Run gpmc.msc → Edit "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings. 
  3. Go to Local Policies → Audit Policy:
    • Audit object access → Define → Success and Failures.
  4. Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:
    • Audit File System → Define → Success and Failures
    • Audit Handle Manipulation → Define → Success and Failures.
  5. Go to Event Log → Define: 
    • Maximum security log size to 1gb
    • Retention method for security log to Overwrite events as needed.
  6. Open Event viewer and search Security log for event id 4663 with "File Server" or "Removable Storage" task category and with "Accesses: WRITE_OWNER" string. "Subject Security ID" will show you who changed the file’s/folders owner. 

  1. Run Netwrix Auditor, navigate to Reports → File Servers → File Servers Activity → Select “File Server Changes” report → View. 


Quickly detect changes to file/folder ownership to mitigate the risk of data breaches

Every object on a file share has an owner. A file’s owner controls how permissions are set on the object and, more important, who can be granted permissions to the object. Therefore, any change of a file owner may be alarming because it can increase the risk of unauthorized access that can result in leaks of sensitive data.  IT administrators must continuously monitor every change to a file owner and detect improper changes in order to mitigate the risk of data breaches and compliance failures.

Netwrix Auditor for Windows File Servers delivers complete visibility into what’s happening on your file servers and provides actionable audit data about all changes made to files and folders, including a change of a file owner. The solution delivers deep insight into every change across all your file servers, including who changed a file owner, and provides current and past values for each change. These values help you quickly detect which file’s owner was changed, the old and the new name of the owner of a file, when and where the change was made, and more.  

Got Feedback? Share!