How can I determine who created or modified a file on Win2k server without using detailed auditing?
With the exception of turning on detailed auditing, which can impact system performance (too late for it now anyway), how can I determine who created or modified a file on a Win2k server? It appears that if an administrator or the system creates a file/directory, the system just states it was created by the "Administrators" group. Therefore, I am unable to determine if it was a specific admin, a batch job or a service running as system. What happened to the owner being identified? Maybe I am just used to Unix.
I'm not sure how you have your settings. I'm not sure what you mean by "detailed auditing." In Windows 2000, if you look at the properties of a file, click the Advanced button, then the Owner tab, this will tell you the owner of the file. If the file was created by an administrator it will list the administrators group, as well as the administrator. If this setting has not been changed, this will be the creator of the file. To determine who has modified a file, or who was the true original creator you must turn on auditing. Here's how:
- In Administrative Tools\Local Security Policy\Local Policy\Audit Policy turn on Audit Object Access for success and failure.
- Then, using Windows Explorer, access the audit properties of the files and/or folders to audit and turn on auditing for the user or group you wish to track. If you select the Authenticated Users group, this will provide audit records in the Security Log for the individual user who has modified, or otherwise accessed the file.
Yes, Unix systems do things differently. But in most systems, including Win2k the "owner" of the file is not necessarily the original creator of the file. Auditing will provide you with that information. But in Windows 2000, auditing must be turned on in order to record it.
This was first published in October 2002