Setting, Viewing, or Removing Auditing for a File or Folder
To audit files and folders, you must be logged on as a member of the Administrators group or have been granted the Manage auditing and security log right in Group Policy. You can set file and folder auditing only on drives that are formatted to use NTFS. Because the security log is limited in size, carefully select the files and folders to be audited. Also consider the amount of disk space you are willing to devote to the security log. The maximum size is defined in Event Viewer.
To set, view, change, or remove auditing for a file or folder:
Click Start, point to Programs, point to Accessories, and then click Windows Explorer. Locate the file or folder you want to audit.
Right-click the file or folder, click Properties, and then click the Security tab.
Click Advanced, and then click the Auditing tab.
Use one of the following procedures:
To set up auditing for a new group or user, click Add. Type the name of the user you in the Name box, and then click OK.
To view or change auditing for an existing group or user, click the name, and then click View/Edit.
To remove auditing for an existing group or user, click the name, click Remove, and then skip steps 5 through 7.
If necessary, in the Auditing Entry dialog box, select where you want auditing to take place in the Apply onto box. The Apply onto box is available only for folders.
Under Access, click Successful, Failed, or both for each access you want to audit.
If you want to prevent files and subfolders within the tree from inheriting these audit entries, click to select the Apply these auditing entries check box.
NOTE: If the check boxes under Access are unavailable in the Auditing Entry dialog box, or if the Remove button is unavailable in the Access Control Settings dialog box, auditing has been inherited from the parent folder.
Before Windows 2000 can audit access to files and folders, you must use the Group Policy snap-in to enable the Audit Object Access setting in the Audit policy. If you do not, you receive an error message when you set up auditing for files and folders, and no files or folders will be audited. After auditing is enabled in Group Policy, view the security log in Event Viewer to review successful or failed attempts to access the audited files and folders.