How to Detect Who Changed a File or Folder Owner


Native Auditing vs. Netwrix Auditor for Windows File Servers

Native Auditing Netwrix Auditor for Windows File Servers
Steps
  1. Navigate to the required file share, right-click it and select "Properties" Select the "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button:
    • Select Principal: "Everyone"; Select Type: "All"; Select Applies to: "This folder, subfolders and files"; Select the following "Advanced Permissions": "Change permissions and "Take ownership".
  2. Run gpmc.msc → Edit "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings. 
  3. Go to Local Policies → Audit Policy:
    • Audit object access → Define → Success and Failures.
  4. Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:
    • Audit File System → Define → Success and Failures
    • Audit Handle Manipulation → Define → Success and Failures.
  5. Go to Event Log → Define: 
    • Maximum security log size to 1gb
    • Retention method for security log to Overwrite events as needed.
  6. Open Event viewer and search Security log for event id 4663 with "File Server" or "Removable Storage" task category and with "Accesses: WRITE_OWNER" string. "Subject Security ID" will show you who changed the file’s/folder's owner. 

  1. Run Netwrix Auditor, navigate to Reports → File Servers → File Servers Activity → Select “File Server Changes” report → View. 


Quickly detect changes to file/folder ownership to mitigate the risk of data breaches

Every object on a file share has an owner. A file’s owner controls who has permissions to the object; full access permissions are particularly important because they enable the user to read, copy, delete and relocate the file. Therefore, any change of a file owner increases the risk of unauthorized access that could result in the loss or leakage of sensitive data. IT administrators must continuously monitor every change to a file owner and detect improper changes in order to mitigate the risk of data breaches and compliance failures.

Netwrix Auditor for Windows File Servers delivers complete visibility into what’s happening on your Windows file servers and provides actionable audit data about all changes made to files and folders, including a change of a file owner. The application also provides the current and past values for each change. These values help you quickly detect which file’s owner was changed, the old and the new name of the owner of the file, when and where the change was made, and — most important — who changed a file owner.

Got Feedback? Share!