Windows security feature called Group Policy can be used to manage computers in the corporate network. However, it can also be used locally on a PC without any servers. The only downside is that Group Policy is not available in lower versions of Windows. For Windows 7, you need to have Windows 7 Professional or higher. For Windows 8, you need to Pro or Enterprise.
Group Policy is a set of registry settings that can be controlled via a graphical user interface. You enable or disable various settings and these edits are then updated in the Windows registry.
In Windows XP, to get to the policy editor, click on Start and then Run. In the text box, type “gpedit.msc” without the quotes as shown below: To change a user’s policy, open gpedit.msc and click on the User Policy Editor button.
In Windows 10, you can open the gpedit.msc file by going to the Start Menu and clicking on Settings. Then click on System and then click on Administrative Tools. In the System Tools window, click on gpedit.msc.
In our case, we want to create a setting for all users so that they can have the same settings on their computer. We’ll expand the Computer Configuration section.
In Windows Settings -> Security Settings -> Local Policies -> Audit Policy, you’ll see a set of policies and their current settings. The Audit Policy setting controls whether or not the operating system is configured and ready to track changes.
Windows has now been told that it should be ready to track changes, and the next step is to tell it what changes we want to track. You can close out of the Group Policy console if you’d like.
Now click on the “Check for updates” button. You should see something similar to this: You will now be able to see the latest updates for the folder in your computer’s security settings.
Click on the Auditing tab and then click on the Settings button. This will open a new window where you can configure what you want to audit. In this window, you’ll need to select which folders you want to audit and how often you want to audit them. You can also choose whether or not to include files in your audit. You can also choose whether or not to include subdirectories in your audit. If you do, then the auditing process will only check files in the main directory of that subdirectory.
To add users to your computer, click the Add button and type in the word “users.” The box will automatically update with the name of the local users group for your computer in the form COMPUTERNAME\Users. ..
To audit a folder, select “Audit Entry for X” from the main dialog. This will open a new dialog where you can select which types of activity you want to track. You can individually choose which to track, such as deleting or creating new files/folders. To make things easier, I suggest selecting “Full Control” which will automatically select all the other options below it. Do this for Success and Failure. This way, whatever is done to that folder or the files within it, you will have a record.
You can view the events by opening the event viewer in your system’s command prompt.
You can see that there were a lot of events on the Security section of the Event Viewer. This is because there were a lot of security breaches that took place.
If you go ahead and create a file or simply open the folder and click the Refresh button in the Event Viewer (the button with the two green arrows), you’ll see a bunch of events in the category of File System. These pertain to any delete, create, read, write operations on the folders/files you are auditing. In Windows 7, everything now shows up under File System task category, so in order to see what happened, you’ll have to click on each one and scroll through it.
To make it easier to look through so many events, you can put a filter and just see the important stuff. Click on the View menu at the top and click on Filter. If there is no option for Filter, then right-click on the Security log in the left-hand page and choose Filter Current Log. In the Event ID box, type in 4656. This is the event associated with a particular user performing a File System action and will give you the relevant information without having to look through thousands of entries. ..
If you want to view more information about an event, simply double click on it.
The United States is in the midst of a heated debate over whether or not to pull out of the Paris Agreement. The agreement, which was signed by the United States and other countries in 2015, aims to reduce greenhouse gas emissions by 2030. Some people argue that the agreement is not strong enough, and that it does not do enough to address climate change. Others argue that the agreement is a necessary step in order to protect our planet from climate change. The debate over whether or not to stay in the Paris Agreement will continue until at least 2020.
A handle to an object was requested by the user. ..
Subject: Security ID: Aseem-Lenovo\Aseem Account Name: Aseem Account Domain: Aseem-Lenovo Logon ID: 0x175a1 ..
The object is a file, and the object type is file. The object name is C:\Users\Aseem\Desktop\Tufu\New Text Document.txt. The handle ID is 0x16a0.
The process C:\Windows\explorer.exe is running with the ID 0x820.
Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE SYNCHRONIZE ReadAttributes ..
In the example above, the file worked on was New Text Document.txt in the Tufu folder on my desktop and the accesses that I requested were READ and SYNCHRONIZE. What I did here was read the file and synchronize it with my computer.
The file C:\Users\Aseem\Desktop\Tufu\Address Labels.docx is a document.
The Office14 process was started by the user C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE at 7:02 PM on January 1, 2014. ..
The access request information for the transaction ID {00000000-0000-0000-0000-000000000000} is as follows: Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA ReadAttributes
The access reasons for the read control are as follows: Granted by Ownership: The read control is granted by the ownership of the device. SYNCHRONIZE: The read control is granted by the synchronization service.
I accessed Address Labels.docx using the WINWORD.EXE program and my accesses included READ_CONTROL and my access reasons were also READ_CONTROL. Normally, you’ll see a bunch more accesses, but just focus on the first one as that’s usually the main type of access. In this case, I simply opened the file using Word. It does take a little testing and reading through the events to understand what’s going on, but once you have it down, it’s a very reliable system. I suggest creating a test folder with files and performing various actions to see what shows up in the Event Viewer.
That’s a great way to keep track of changes to your files.