First, go to the Domain Controller (DC) and update the Group Policy (GPO) to enable file auditing.
Right click on the Group Policy you want to update or create a new GPO for file auditing. In the right-click menu, select edit to go to the Group Policy Editor.
*Here, created a new GPO called “File Auditing” for the purposes of this example.
In the Group Policy editor, click through to Computer Configuration -> Policies -> Windows Settings -> Local Policies. Click on Audit Policy.
Double-click “Audit object access” and set it to both success and failure.
To enable your new GPO, go to a command line and run ‘gpupdate /force’.
Verify that your policy is set correctly with the command ‘gpresult /r’ on the computer that you want to audit.
Next, tell Windows exactly which files and/or folders that you want to audit. Here is the procedure to set auditing up for your folders.
Right-click the file or folder in Windows Explorer. Select Properties.
Change to the Security tab and click Advanced.
Click the Auditing tab and then Continue.
Add the Users or Groups that you want to audit and check all of the appropriate boxes.
Once you have enabled the Auditing GPO and set the file/folder auditing, you will see audit events in the Security Event Log in Windows Event Viewer.
