How to Detect Who Tried to Modify a File or a Folder on Your Windows File Server

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Windows File Servers
Native Auditing
Netwrix Auditor for Windows File Servers
  1. Navigate to the required file share → Right-click it and select "Properties".
  2. Go to the "Security" tab → Click the "Advanced" button → Switch to the "Auditing" tab → Click the "Add" button and define auditing:
    • Principal equals "Everyone"
    • Type equals "All"
    • Applies to: "This folder, subfolders and files".
  3. Select the following "Advanced Permissions":
    • Traverse folder / execute file
    • List folder / read data
    • Create files /write data
    • Create folders / append data
    • Write attributes.
  4. Run gpedit.msc → Go to the "Edit" menu.
  5. Create a new policy → Edit → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
    • Audit object access → Define → Success and Failures
  6. Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:
    • Audit File System → Define → Success and Failures
    • Audit Handle Manipulation → Define → Success and Failures
  7. Go to Event Log → Define:
    • Maximum security log size to 4gb
    • Retention method for security log to "Overwrite events as needed"
  8. To link the new GPO to the OU with file servers, go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Select the GPO that you’ve created.
  9. To force the group policy update, go to "Group Policy Management" → Right-click the defined OU → Сlick "Group Policy Update".
  10. Open Event Viewer → Search the Security Windows Logs for the event ID 4656 with the "Audit Failed" keyword, the "File Server" or "Removable Storage" task category and with "Accesses: READ_CONTROL" and Access Reasons: "WriteData (or AddFile) Not granted" strings. "Subject: Security ID" will show you who tried to change a file.
Detect Who Tried to Modify a File or a Folder with Native Auditing
  1. Run Netwrix Auditor → Navigate to “Search” → Click on “Advanced mode” if not selected → Set up the following filters:
    • Filter = “Data source”
      Operator = “Equals”
      Value = “File Servers”
    • Filter = “Action”
      Operator = “Equals”
      Value = “Modify (Failed Attempt)”
  2. Click the “Search” button and review who tried to modify files and folders on your file server.
Detect Who Tried to Modify a File or a Folder with Netwrix Auditor


To create an alert on failed attempts to modify a file or a folder, do the following:

  1. From the search results, navigate to “Tools” → Click “Create alert” → Specify the new alert’s name.
  2. Switch to the “Recipients” tab → Click "Add Recipient" → Specify the email address where you want the alert to be delivered.
  3. Click “Add” to save the alert.

Keep an Eye on Who Tried to Modify Sensitive Files to Harden Your Data Security

Unauthorized modification of files can lead to business disruption or even the leakage or loss of sensitive data, such as personally identifiable information or medical records. Therefore, it’s essential to detect and investigate unauthorized attempts to modify files in a timely manner. By regularly reviewing failed file change attempts, IT pros can detect possible attacks and enhance data security by recognizing and revoking excessive permissions to modify sensitive data on their organization’s file servers.

Netwrix Auditor for Windows File Servers delivers complete visibility into what’s happening on your Windows file servers, including who tried to modify sensitive files or folders. Using the Interactive Search feature and predefined reports, IT pros can get detailed information about who tried to modify a file, when and where each modification attempt happened, and whether the attempt was successful. This information is critical for security investigations and compliance audits that require IT admins to prove that sensitive data is secure.

Related How-tos