In this article  :

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

 Objective   

This article explains how to track and identify who modified permissions on a folder using ManageEngine ADAudit Plus. It helps users monitor permission changes for security and compliance purposes, ensuring unauthorized access is prevented and access control policies are properly enforced in IT environments.

 Prerequisites   

• Have access to the ADAudit Plus web console.

• The respective file server and the shared folder must be added in ADAudit Plus for auditing.

• Have admin or delegate permission for file auditing to access relevant reports.

• The ADAudit Plus service account should be added to the local administrators group on each audited file server.

• Ensure the service account has both share and NTFS read permissions on all audited shares.

• Configure the Group Policy to audit object access on file servers.

• System access control lists must be configured on the folder.

Steps to follow

1. Log in to the ADAudit Plus web console as an administrator or a technician with delegated permission to access file auditing reports.

2. Navigate to File Audit > File Audit Reports > Folder Permission Changes.

3. Click Advanced Search to filter the results.

4. Set the variable to File/Folder Name.

5. Choose the condition as Contains.

6. Enter the relevant file or folder name in the input field.

7. Click Search to generate the report.

8. The resulting report will display the following details along with various other details.

• MODIFIED BY: The user who made the permission change

• TIME MODIFIED: When the change occurred

• ORIGINAL PERMISSION: The previous permission settings

• NEW PERMISSION: The updated permission settings

 Validation and confirmation   

1. Verify data accuracy.

2. Ensure logs are up to date. Confirm that the file server is actively sending logs to ADAudit Plus without delay or errors by navigating to File Audit > Configured Server(s) > Windows File Server. Check the timestamp of last event and status.

 Tips   

• Apply object-level auditing on high-value shared folders to ensure permission changes are captured.

• Schedule the Folder Permission Changes report to run daily or weekly and send it to security or compliance teams.

• Configure real-time alerts in ADAudit Plus for permission changes on sensitive folders to detect unauthorized access attempts instantly.

 Related topics and articles   

• How to create an alert if a file or folder is deleted from a critical share

• How to configure file server is ADAudit Plus