Detailed File Share Auditing allows you to monitor access to Windows 7 file shares

Windows 7 can be a good file server on very small workgroup networks. Although Windows 7 is limited to only 10 concurrent client connections as a file server it can do a good job making files accessible over a network. Windows 7 shares a great deal of code with Windows Server 2008 R2 and has the same set of Share-level and NTFS permissions used on the big servers.  New shared folders can be created in Windows Explorer or in Computer Management’s Shared Folders node. Under the Shared Folders node are the Shares, Sessions and Open Files nodes which permit administrators to monitor share access by users in real time.

Since it is usually not practical to constantly monitor shared folder access Microsoft has created a new auditing option called Detailed File Share Auditing that will track file share access automatically. This setting is one of 53 new advanced audit policy settings incorporated in Group Policy for Windows 7. Detailed File Share Auditing is located in Control Panel- Local Security Policy and is found in this path:  “Local Security Policy-Security Settings-Advanced Audit Policy Configuration-System Audit Policy-Local Group Policy Object-Object Access-Audit Detailed File Share”.  If Audit Detailed File Share auditing is enabled  a record will be written to the computers Security Log whenever a file or folder on a Share is accessed. The events written will include detailed information about the permissions used to access the files. Both successful (user has the required permissions to access the share) events, and unsuccessful (user attempts to access shared files without proper permissions and fails) events can be recorded. It is not necessary to configure the Security Access Control List on each file or folder added to the shared folder when using Detailed File Share Auditing. This makes the new feature much easier to manage than the traditional approach of auditing using Object Access events. As files are added or removed from existing shares and new shares are created on the computer auditing will be automatically begin.

And, good news for Windows Server 2008 R2 administrators, Detailed File Share Auditing and all of the other advanced audit policy settings can be configured on their servers as well.

-Mark

Related Courses

Administering and Maintaining Windows 7 (M50292)

Planning and Managing Windows 7 Desktop Deployments and Environments (M6294)

Configuring, Managing, and Maintaining Server 2008 R2 (M6419)

In this article

Join the Conversation

1 comment

  1. Robert Reply

    I tried it and it seems useless. After I deleted a file, I checked event viewer. All it said was that my user account deleted a file. It didn’t even say which file was deleted. This isn’t very helpful. Plus with out good reports and alerts, what good is it? It seems we still need third party software to monitor file shares.