Windows – Audit file system.

Each Windows system on your network has nine audit policy categories and policy subcategories, which you can enable or disable.
You will see policy settings for only the main categories:
When you open an audit policy, you may or may not be able to modify it, depending on whether the policy has been defined in a Group Policy Object (GPO) that has been applied to the local system.
  • Audit account logon events;
  • Audit logon events;
  • Audit account management;
  • Audit directory service access;
  • Audit object access;
  • Audit policy change;
  • Audit privilege use;
  • Audit process tracking;
  • Audit system events;
Run the Group Policy editor:

Go to Advanced Audit Policy Configuration – Audit Policies – Object Access, and setup as following: Audit File System – Define – Success and Failures

If you have Windows 10 version then you can set this feature:

Audit Handle Manipulation – Define – Success and Failures

See the next image:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.