Unknown user is attempting to access a file or folder he or she should not have access to
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This problem typically occurs when someone is attempting to access a file or folder he or she either has not been given permission to access or has been explicitly denied access. This problem can be caused unintentionally by a user mistakenly attempting to access a resource or it can be caused intentionally by a user trying to circumvent the access control policy on the file or folder.
Cause
When an audit policy is not in place, it is difficult to determine exactly who is attempting to access unauthorized resources.
Solutions
Because a Windows-based computer can be managed with Group Policy or be a standalone computer, there are two different solutions for this problem. Choose one of the following options and follow the corresponding procedures.
Computer is managed with Group Policy
Computer is not managed with Group Policy
Please check with your system administrator to determine whether the computer is managed with Group Policy.
Computer is managed with Group Policy
If the computer you would like to audit events for is managed by Group Policy, perform the following procedures to discover which user is attempting to access the file or folder.
Enable auditing of the object access event category
Apply auditing policy settings for an object using Group Policy
Analyze the Security events in Event Viewer
Adjust permissions or enforce a new security policy
Note
You can set up file and folder auditing only on NTFS drives.
Note
To perform this set of procedures, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been granted the Manage auditing and security log right in Group Policy. As a security best practice, consider using Run as to perform this procedure.
Step One: Enable auditing of the object access event category
Choose among the following object access auditing configuration options, depending on your environment:
For your local computer
For domain controllers only, when you are on a domain controller or on a workstation that has the Windows Server 2003 Administration Tools Pack installed
For a domain or organizational unit, when you are on a domain controller or on a workstation that has Administration Tools Pack installed
For a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain
For your local computer
Perform the following procedure:
For your local computer
Open Local Security Policy. Click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.
In the console tree, expand Security Settings, expand Local Policies, and click Audit Policy.
In the details pane, double-click Audit object access.
Select the Failure check box.
For domain controllers only, when you are on a domain controller or on a workstation that has the Windows Server 2003 Administration Tools Pack installed
Perform the following procedure:
For domain controllers only, when you are on a domain controller or on a workstation that has the Windows Server 2003 Administration Tools Pack installed
Open Domain Controller Security Policy. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Domain Controller Security Policy.
In the console tree, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
In the details pane, double-click Audit object access.
If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.
Select the Failure check box.
For a domain or organizational unit, when you are on a domain controller or on a workstation that has Administration Tools Pack installed
Perform the following procedure:
For a domain or organizational unit, when you are on a domain controller or on a workstation that has Administration Tools Pack installed
Open Active Directory Users and Computers. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
In the console tree, right-click the domain or organizational unit for which you want to set Group Policy.
Click Properties, and then click the Group Policy tab.
Click Edit to open the Group Policy object (GPO) that you want to edit. You can also click New to create a new GPO, and then click Edit.
In the console tree, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
In the details pane, double-click Audit object access.
If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.
Select the Failure check box.
For a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain
Perform the following procedure:
For a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain
Open Microsoft Management Console (MMC). Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
Click Group Policy Object Editor, and then click Add.
On the Select Group Policy Object page in the Group Policy Wizard, click Browse.
In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit—or create a new one—click OK, and then click Finish.
Click Close, and then click OK.
In the console tree, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click Audit Policy.
In the details pane, double-click Audit object access.
If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.
Select the Failure check box.
Step Two: Apply auditing policy settings for an object by using Group Policy
Important
Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files will be audited.
Note
To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been granted the Manage auditing and security log right in Group Policy. As a security best practice, consider using Run as to perform this procedure.
Apply auditing policy settings for an object by using Group Policy
Open Microsoft Management Console (MMC). Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
Click Group Policy Object Editor, and then click Add.
On the Select Group Policy Object page in the Group Policy Wizard, click Browse.
In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit—or create a new one, click OK, and then click Finish.
Click Close, and then click OK.
In the console tree expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click File System.
If you want to add a file or folder to this GPO to audit, right-click File System, and then click Add File. Browse to the file that you want, or make a new folder, and then click OK.
If you want to apply or modify auditing settings on a file or folder that has already been added to this GPO, in the details pane, right-click the file or folder, click Properties, and then click Edit Security.
Click Advanced, and then click the Auditing tab.
Do one of the following:
To set up auditing for a new user or group, click Add. In Name, type the name of the user or group that you want, and then click OK.
To view or change auditing for an existing group or user, click the name that you want, and then click Edit.
To remove auditing for an existing group or user, click the name that you want, click Remove, click OK, and then skip the rest of this procedure.
Select the appropriate entry in the Apply onto list.
In the Access box, select the Failed check box.
If you want to prevent files and subfolders in the tree from inheriting these audit entries, select the Apply these auditing entries to objects and/or containers within this container only check box.
Click OK.
For best system performance, minimize the number of entries in the SACL for an object. One entry in a SACL that contains 1000 users does not degrade system performance as much as 1000 separate entries.
Because the Security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the Security log. The maximum size for the Security log is defined in Event Viewer.
If you are unsure about what user might be attempting to access the restricted file or folder, audit object access for groups. Make sure to change the location to the local computer if you want to include a local group, such as Users.
Step Three: Analyze the Security events in Event Viewer
After applying the audit policy to the desired file or folder, view the Security log in Event Viewer to determine what user has been attempting to access the restricted file or folder.
Perform the following procedure to view the Security log.
To view the Security log
Open Event Viewer. Click Start, click Control Panel, double-click Administrative Tools, and double-click Event Viewer.
In the console tree, click Security. The details pane lists individual security events.
If you want to see more details about a specific event, in the details pane, double-click the event.
Once you have accessed Event Viewer, you should take advantage of the filter to eliminate irrelevant data in the Security log. Perform the following procedure to filter for Success and Failure events for the object access event category.
To filter the Security log view
Open Event Viewer.
In the console tree, click Security. The details pane lists individual security events.
In the File menu, click View, and then click Filter.
In Event types, clear the Information, Warning, and Error check boxes and ensure that the Success and Failure check boxes are selected.
In the Event Source list, select Security.
In the Category list, select Object Access.
Click OK.
Note
You can use the other fields in the Filter page to further filter the Security events by event ID, user, and computer. You can also filter events by using a time-period range. Filtering by a range of time can be useful if you believe that someone tried to access a restricted file or folder during a specific time on a particular day.
Once you have filtered the events, examine the Success and Failure audits to see if they apply to restricted files or folders that someone attempted to access. The user name of the person attempting to access the restricted file or folder will be listed within the security event, along with the action that the user was attempting to perform or successfully performed.
Important
The view filter that you set will remain on the event log unless you manually change the filter. Filtering the view of the event log can help you narrow the scope of the events presented and make it much easier to find potential security problems.
Step Four: Adjust permissions or enforce a new security policy
After you have discovered which user is attempting to access a file or folder, you must then decide on a course of action to complete the solution. There are two possible solutions, depending upon the original intent of the person who attempted to access a file or folder.
If the user is trusted and attempted to access the file or folder believing that he or she was performing an action that complies with your security policy, you should either further refine your security policy or educate the user about the proper way to follow the policy.
If the user is not trusted and attempted to change the file or folder to intentionally contradict the established security policy, then you should lock down the user's permissions. Make sure to reevaluate your security policy and adhere to best practices. For guidance about applying permissions, see Users cannot write to a shared folder after migration to Windows Server 2003.
Computer is not managed with Group Policy
If the computer you would like to audit events for is not managed by Group Policy, perform the following procedures to discover which user is attempting to access the file or folder.
Enable auditing of the object access event category
Apply auditing policy to a specified object
Analyze the Security events in Event Viewer
Adjust permissions or enforce a new security policy
You must first decide what objects you would like to audit and whether you want to audit a specific computer or use Group Policy to manage auditing within an organization unit (OU) or domain.
Note
You can set up file and folder auditing only on NTFS drives.
Step One: Enable auditing of the object access event category
Choose between the following object access auditing configuration options, depending on your environment:
For your local computer
For domain controllers only, when you are on a domain controller or on a workstation that has the Windows Server 2003 Administration Tools Pack installed
For a domain or organizational unit, when you are on a domain controller or on a workstation that has Administration Tools Pack installed
For a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain
For your local computer
Perform the following procedure:
For your local computer
Open Local Security Policy. Click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.
In the console tree, expand Security Settings, expand Local Policies, and click Audit Policy.
In the details pane, double-click Audit object access.
Select the Failure check box.
For domain controllers only, when you are on a domain controller or on a workstation that has the Windows Server 2003 Administration Tools Pack installed
Perform the following procedure:
For domain controllers only, when you are on a domain controller or on a workstation that has the Windows Server 2003 Administration Tools Pack installed
Open Domain Controller Security Policy. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Domain Controller Security Policy.
In the console tree, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
In the details pane, double-click Audit object access.
If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.
Select the Failure check box.
For a domain or organizational unit, when you are on a domain controller or on a workstation that has Administration Tools Pack installed
Perform the following procedure:
For a domain or organizational unit, when you are on a domain controller or on a workstation that has Administration Tools Pack installed
Open Active Directory Users and Computers. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
In the console tree, right-click the domain or organizational unit for which you want to set Group Policy.
Click Properties, and then click the Group Policy tab.
Click Edit to open the Group Policy object (GPO) that you want to edit. You can also click New to create a new GPO, and then click Edit.
In the console tree, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
In the details pane, double-click Audit object access.
If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.
Select the Failure check box.
For a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain
Perform the following procedure:
For a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain
Open Microsoft Management Console (MMC). Click Start, click Run, type mmc, and then click OK.
In the File menu, click Add/Remove Snap-in, and then click Add.
Click Group Policy Object Editor, and then click Add.
On the Select Group Policy Object page in the Group Policy Wizard, click Browse.
In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit—or create a new one—click OK, and then click Finish.
Click Close, and then click OK.
In the console tree, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click Audit Policy.
In the details pane, double-click Audit object access.
If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.
Select the Failure check box.
Step Two: Apply auditing policy to a specified object
To perform the following procedure, you must be logged on as a member of the Administrators group or you must have been granted the Manage auditing and security log right in Group Policy.
Important
In addition to setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
To apply or modify auditing policy settings for a local file or folder
Open Windows Explorer. To open Windows Explorer, right click Start and click Explore.
Right-click the file or folder that you want to audit, click Properties, and then click the Security tab.
Click Advanced, and then click the Auditing tab.
Do one of the following:
To set up auditing for a new user or group, click Add. In Enter the object name to select, type the name of the user or group that you want, and then click OK.
To view or change auditing for an existing group or user, click its name, and then click Edit.
In the Apply onto box, click the location(s) where you want auditing to take place. This is only applicable for a folder.
In the Access box, indicate what actions you want to audit by selecting the appropriate check boxes, and then click OK:
To audit successful events, select the Successful check box.
To stop auditing successful events, clear the Successful check box.
To audit unsuccessful events, select the Failed check box.
To stop auditing unsuccessful events, clear the Failed check box.
To stop auditing all events, click Clear All. This option removes the auditing entry.
If you want to prevent subsequent files and subfolders of the original object from inheriting these audit entries, select the Apply these auditing entries to objects and/or containers within this container only check box.
If you see the one of the following, auditing has been inherited from the parent folder:
In the Auditing Entry for File or Folder dialog box, in the Access box, the check boxes are unavailable.
In the Advanced Security Settings for File or Folder dialog box, the Remove button is unavailable.
For best system performance, minimize the number of entries in the SACL for an object. One entry in a SACL that contains 1000 users does not degrade system performance as much as 1000 separate entries.
Because the Security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the Security log. The maximum size for the Security log is defined in Event Viewer.
If you are unsure about what user might be attempting to access the restricted file or folder, audit object access for groups. Make sure to change the location to the local computer if you want to include a local group, such as Users.
Step Three: Analyze the Security events in Event Viewer
After applying the audit policy to the desired file or folder, view the Security log in Event Viewer to determine what user has been attempting to access the restricted file or folder.
Perform the following procedure to view the Security log.
To view the Security log
Open Event Viewer. To open Event Viewer, click Start, click Control Panel, double-click Administrative Tools, and double-click Event Viewer.
In the console tree, click Security. The details pane lists individual security events.
If you want to see more details about a specific event, in the details pane, double-click the event.
Once you have accessed Event Viewer, you should take advantage of the filter to eliminate irrelevant data in the Security log. Perform the following procedure to filter for Success and Failure events for the object access event category.
To filter the Security log view
Open Event Viewer.
In the console tree, click Security. The details pane lists individual security events.
In the File menu, click View, and then click Filter.
In Event types, clear the Information, Warning, and Error check boxes and ensure that the Success and Failure check boxes are selected.
In the Event Source list, select Security.
In the Category list, select Object Access.
Click OK.
Note
You can use the other fields in the Filter page to further filter the Security events by Event ID, user, and computer. You can also filter events by using a time-period range. Filtering by a range of time can be useful if you believe that someone tried to access a restricted file or folder during a specific time on a particular day.
Once you have filtered the events, examine the Success and Failure audits to see if they apply to restricted files or folders that someone attempted to access. The user name of the person attempting to access the restricted file or folder will be listed within the security event, along with the action that the user was attempting to perform or successfully performed.
Important
The view filter that you set will remain on the event log unless you manually change the filter. Filtering the view of the event log can help you narrow the scope of the events presented and make it much easier to find potential security problems.
Step Four: Adjust permissions or enforce a new security policy
After you have discovered which user is attempting to access a file or folder, you must then decide on a course of action to complete the solution. There are two possible solutions, depending upon the original intent of the person who attempted to access a file or folder.
If the user is trusted and attempted to access the file or folder believing that he or she was performing an action that complies with your security policy, you should either further refine your security policy or educate the user about the proper way to follow the policy.
If the user is not trusted and attempted to change the file or folder to intentionally contradict the established security policy, you should lock down the user's permissions. Make sure to reevaluate your security policy and adhere to best practices. For guidance about applying permissions, see Users cannot write to a shared folder after migration to Windows Server 2003.