How to determine who changed permissions on a directory?

Giganews Newsgroups
Subject: How to determine who changed permissions on a directory?
Posted by:  CJ in Buffalo (CJinBuffa…@discussions.microsoft.com)
Date: Thu, 13 Sep 2007

I need to be able to determine with certainty who made a change to a
directory, and what the change was.

Here is the situation: I have some directories where the permissions were
changed, causing all kinds of problems until they were fixed back to their
correct settings.  I am pretty confident that I know what directory,
approximately what time, and who - I just need to be able to prove it.

We do have auditing turned on with these settings:
Audit Account Logon events - Success, Failure
Audit Account Management - Failure
Audit Directory Service Access - Failure
Audit Logon Events - Failure
Audit Object Access - Success, Failure
Audit Policy Change - Success, Failure
Audit Privilege Use - Success, Failure
Audit Process Tracking - Failure
Audit System Events - Success, Failure

I've done some playing around with creating directories, changing
permissions, etc. and then looking to see what was logged.  I do have Event
ID 560, 567 and 576 events logged when I do these sorts of things.  But I
can't say I fully understand what is in the event.  I was hoping for
something like "User Joe added Group OfficeParty to G:\ABC with
Read-Write-Delete permissions", but the events are little more cryptic than
that.

So let's say I had a directory and deleted user XYZ and group ABC from the
ACL - is there a way I can tell that this was done (and specifically tell
that user XYZ was deleted, not just that some object was deleted)?

Let's say I had a directory and added a user with List Folder and Write
permissions (not Read) - what would the pattern be for that?

These are pretty much always going to be done by somebody right-clicking on
a network shared folder, going to the security tab, and then adding or
removing users or groups there.

Is there a way to replace one ACL with another, so that some IDs that had
access before no longer have it, but there was never a DELETE object event
logged?

The server in question is Windows 2003 SP1.

I have been using Event Comb MT, and I do have a saved copy of the Security
Event Log that covers the time period in question.

For example, I have an event like this.  How can I tell what exactly user
JoeSchmoe did on the G:\ABC\Junk directory on Server1?

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        9/13/2007
Time:        9:51:38 PM
User:        MYDOMAIN\JoeSchmoe
Computer:    SERVER1
Description:
Object Open:
    Object Server:    Security
    Object Type:    File
    Object Name:    G:\ABC\Junk
    Handle ID:    18852
    Operation ID:    {0,329353281}
    Process ID:    4
    Image File Name:    
    Primary User Name:    SERVER1$
    Primary Domain:    MYDOMAIN
    Primary Logon ID:    (0x0,0x3E7)
    Client User Name:    JoeSchmoe
    Client Domain:    MYDOMAIN
    Client Logon ID:    (0x0,0x138FB0D5)
    Accesses:    READ_CONTROL
            ReadAttributes
            
    Privileges:    -
    Restricted Sid Count:    0
    Access Mask:    0x20080

Or similarly for this one:
Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    567
Date:        9/13/2007
Time:        9:51:38 PM
User:        MYDOMAIN\JoeSchmoe
Computer:    SERVER1
Description:
Object Access Attempt:
    Object Server:    Security
    Handle ID:    18852
    Object Type:    File
    Process ID:    4
    Image File Name:    
    Accesses:    WRITE_DAC
            
    Access Mask:    0x40000

Any help would be appreciated - Thanks!

Replies