Question : Auditing Object Copy or Move

Hi All,

We have a share on our network that has to be accessed by one of our departments. Recently some folders have been moved from one location in the share and copied another. The permissions on the share are as follows.

All users in the department are in a group. That group has all permisions on the share apart from delete (although they can delete subfolders and files), change permisions and take ownership.

The moving of folders has continued for a few weeks, so I have decide to audit object access for the share. My question has two parts.

Firstly, how should I set up the share in terms of permissions to help this situation? Is there a way to give people access to the share but only allow the creators of files or folders to move them? Any suggestions or examples of how you network admins out there set up group shares are welcome.

Secondly, the security event viewer is a bit of a nightmare. How do I filter the security log to see who has been moving files? Seeing who successfully or unsuccessfully accessed an object is easy but not who is moving or copying an object.

Cheers,

JT

Answer : Auditing Object Copy or Move

Share permissions are limited. Basically, you would need to enable Change permissions to the share itself, and do further restrcitions with NTFS file and folder permissions. In that scenario, only the administrators and/or the Creator/Owners should have Full Control to the share. All other permissions (to disallow delete, for example) need to be done at the folder level. Share permissions cannot be configured to allow users to modify, and not delete a file. There are only three permissions, Read, Change, and Full Control. Change would grant them the ability to modify AND delete files in the share. So that's why you have to go to the folders Security tab and specifically disallow the delete permissions to Domain Users, for example. That would prevent network users from deleting the files, but the Creator Owners would still have the ability to do so.

When you combine Share and NTFS permissions, the most restrictive take precendence. On the other hand, when combining two sets of NTFS permissions, the least restrictive wins. Example:

FOLDER1 - Shared with Domain Users, Read Permission
- Folder permission is set to allow all users full control

When connecting through the share on the network, whether the users had full control or not, they would be stuck with Read permission, because it is the most restrictive.

Second example:

FOLDER1 - Shared with Domain Users, Change Permission and Creator/Owners Full Control
- Folder permission denies Delete to Domain Users

When someone from Domain Users attempts to delete a file, the Change permission allows them the ability to do so, but then they get stopped at the NTFS permission, effectively denying them access to delete the file. Creator Owners were not specifically denied, and therefore would be able to delete the file.

Does that help?

James

Random Solutions

Local Area Connection "5" - how to change!

Blocking Internet radio

smtp service will not start

Synology Server on different network

Two Groups, Two ISPs, One domain

unsupported pre amble, how do i set it right (radio data rates?)

How well can I establish distance between two Bluetooth devices

Onelaptop can ping everyone but it cannot be pinged

Help with Exchange