In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

 Objective 

To enable and configure File Integrity Monitoring (FIM) in ADAudit Plus, allowing you to detect and report critical file and folder changes across your Windows file servers for security and compliance.

 Prerequisites 

• You must have an account with administrative privileges or delegate permission to configure FIM in ADAudit Plus.

• Configure required audit policies and object-level auditing on target servers before enabling monitoring.

 Steps to follow 

Step 1: Configure File Integrity Monitoring in ADAudit Plus

1. Log in to the ADAudit Plus web console.

2. Navigate to the Configuration tab.

3. Expand Configured Server(s) > Choose File Integrity from the left pane.

4. Click Add Domain.

5. Select the Domain where you want to configure file integrity monitoring.

6. In the select servers section, choose the servers you want to monitor.

7. Under Select Folders and File Types For Monitoring choose the file types to monitor, such as all files or specific file types.

8. Exclude File/folder, File Types, Process, or User if required by clicking the + icon.

9. Click Save to complete the configuration.

Step 2: Configure required Audit Policies

1. Log in to the target Windows file server with administrative privileges.

2. Open Group Policy Management Console (gpmc.msc).

3. Create a new group policy object or edit an existing one linked to the file server’s OU.

4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.

5. Enable the following policies:

1. Audit Object Access: Success, Failure

6. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access.

7. Enable the following policies:

1. Audit File System: Success, Failure

2. Audit Handle Manipulation: Success, Failure

8. Close the group policy editor and run gpupdate /force to apply the settings immediately.

9. To run the above command, Go to Start > type cmd > right-click Command Prompt > select Run as administrator. Run the above command.

Step 3: Configure object-level auditing

Method 1: Using Windows shares

1. Log in to the file server.

2. Open File Explorer and browse the folder or share you want to monitor.

3. Right-click the folder and select Properties.

4. Click the Security tab > Advanced, and then click the Auditing tab. For the Everyone group, add the following entries:

5. Click Ok, then Apply, and Ok to close all dialog boxes.

Method 2: Using PowerShell cmdlets

1. Create a CSV file that lists the Universal Naming Convention (UNC) paths or local paths of all files and folders for which you want to enable File Server Auditing (FIM).

2. The CSV file should list the files/folders in the following format: <file/folder>,FIM

Example:

E:\test folder,FIM

\\SERVERNAME\c$\folder,FIM

E:\test file.txt,FIM

Once you have the CSV file ready with all the required paths, open PowerShell and navigate to the <Installation Directory>\bin folder.

Type in: .\ADAP-Set-SACL.ps1 -file '.\file name' -mode add (or) remove -recurse true (or) false -username DOMAIN_NAME\username

Where:

Note: When removing object-level auditing for a set of files or folders, the <type> parameter 'FIM' is not mandatory.

For example

• To set object-level auditing for the list of folders in a CSV file named folders.CSV, use: .\ADAP-Set-SACL.ps1 -file '.\folders.CSV' -mode add

• To replace all subfolder object-level auditing settings with inheritable auditing settings applied to a CSV file named folders.CSV, use: .\ADAP-Set-SACL.ps1 -file '.\folders.CSV' -mode add -recurse true

• To remove object-level auditing for the list of folders in a CSV file named folders.CSV, use: .\ADAP-Set-SACL.ps1 -file '.\folders.CSV' -mode remove.

Method 3: Using global object access auditing

1. Log in to the file server.

2. Open Group Policy Management Console (gpmc.msc).

3. Edit an existing GPO or create a new GPO linked to the servers’ OU.

4. Navigate to:
   Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Global Object Access Auditing >  File system > Define this policy setting > Configure. For the Everyone group, add the following entries:

5. Click Ok, then Apply to save changes.

6. Close the GPO editor and run gpupdate /force to enforce the policy.

7. To run the above command, Go to Start > type cmd > right-click Command Prompt > select Run as administrator. Run the above command.

 Validation and confirmation 

• Confirm that the file servers and shares appear in File Integrity in the ADAudit Plus console.

• Perform a test action (for example, modify or delete a monitored file).

• In the Server Audit tab, open File Integrity Monitoring and verify that the event is logged correctly.

• If alert profiles are enabled, confirm you receive notifications.

 Tips 

• Use filters in reports to locate specific file changes quickly.

• Regularly review GPO settings to confirm that audit policies and object-level auditing remain active.

• Monitor disk space for storage growth due to logs and monitored data.

 Related topics and articles 

• No data available in File Integrity Monitoring reports.