How to find out who changed file/folder NTFS permissions on Windows? ,

In some cases, an administrator needs to find out which process (program) or user has changed the NTFS permissions on a specific folder or file on a Windows file server. This article shows how to track NTFS permissions changes made to file system objects using an audit policy, a PowerShell script, and the ProCommon tool.

You need to configure an audit policy to track changes to NTFS permissions on Windows file system objects.

  1. Open Group Policy Editor. If you want to configure the audit file system audit policy on a particular server, open the Local Group Policy Editor console (gpedit.msc, If you want to enable auditing on multiple devices in a domain (for example, all file servers), you must create a separate GPO using the Group Policy Management Console (gpmc.msc,
  2. go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access,
  3. enable option audit file system and choose Success, Enable Audit File System Policy on Windows
  4. Now you need to enable auditing in the properties of the directory in which you want to track permission changes. Open Folder Properties -> Go To Security tab -> advanced , Audit tab -> continue -> Click Add And add a group (select the principal) whose activities you want to track. we have specified Everyone Here;
  5. choose Type,Success and enable change permissions And take ownership Options in Advanced Permissions: Enable Shared Folders Audit: Change Permissions
  6. Don’t forget to update the Group Policy settings on the host: gpupdate /force

Now, if someone has changed the NTFS permissions on items in the specified folder, with an event Event ID 4670 Will appear in the security log.

Open the Event Viewer console (eventvwr.msc) -> Windows Logs -> Security. Filter the event list by EventID 4670 (Permissions on an object were changed) and open Latest Events.

You will see the name of the user who changed the permission (account name:) and process name ( C:\Windows\Explorer.exe ) in the event details. It also contains information about previous ACLs (basic security descriptor) and the new permission list (new security descriptor,

EventID 4670 - GET user changing folder NTFS permissions

Please note that the permissions are in DACL format and are hard to understand. Luckily, you can use the built-in PowerShell cmdlet ConvertFrom-SdlString To convert a security descriptor definition language string to a PSCustomObject.

To see which access groups have changed in the object’s NTFS permissions, compare the old and new security descriptors (copy the SDDL value from event 4670):

$oldperm=ConvertFrom-SddlString "D:PAI(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;S-1-5-21-1774357850-3643260196-2143367957-1125)(A;OICI;0x1301bf;;;S-1-5-21-1774357850-3643260196-2143367957-1124)"
$newperm=ConvertFrom-SddlString "D:PARAI(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1301bf;;;S-1-5-21-1774357850-3643260196-2143367957-1124)(A;OICI;0x1200a9;;;S-1-5-21-1774357850-3643260196-2143367957-1125)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)"
Compare-Object -ReferenceObject $oldperm.DiscretionaryAcl -DifferenceObject $newperm.DiscretionaryAcl|FL

In this example, you can see that the new ACL allows read Builtin\Users Group.

PowerShell: Compare new and old ACLs, get permission differences

You can use the Get-WinEvent PowerShell cmdlet to search the Windows event log. For example, you can use the following code to find the event with event ID 4670 and get the OldSD and NewSD values ​​from the script:

$event=Get-WinEvent -FilterHashtable @{logname="Security";id=4670} -MaxEvents 1
[xml]$xmlevent = $event.ToXml()
$eventobj = New-Object System.Management.Automation.PSObject
$eventobj | Add-Member Noteproperty -Name $xmlevent.Event.EventData.Data[1].name -Value $xmlevent.Event.EventData.Data[1].'#text'
$eventobj | Add-Member Noteproperty -Name $xmlevent.Event.EventData.Data[8].name -Value $xmlevent.Event.EventData.Data[8].'#text'
$eventobj | Add-Member Noteproperty -Name $xmlevent.Event.EventData.Data[9].name -Value $xmlevent.Event.EventData.Data[9].'#text'

Get a username that changed permission on a folder

If you need to understand which process and user is changing NTFS permissions on a folder, you can use process monitor utility. ,, This allows you to trace the source of permission changes to file system objects in real-time.

  1. Download and run procmon64.exe;
  2. Configure Filter: Filter->Filter (CTRL+S) path -> start with -> Specify the folder path -> include -> have -> SetSecurityFile -> include; Monitor folder permission changes with Pro Monitor
  3. From now on, if someone changes the NTFS permissions on an object in that folder, you’ll see a new event in the ProcMon window. Here, it shows the name of the process (explorer.exe) and the user who changed the permissions.

How to audit permission changes using Process Monitor?

Leave a Comment