How to Audit Windows File and Folder Access With Native Tools

Windows provides you with all the native tools you will need to monitor file activity at scale, but just because you can audit everything doesn’t mean you should.

When audits are too broad, they create noise, flood logs, and can even slow down your team’s performance to a crawl. The key here is precision.

In this guide, we’ll help you conduct targeted file access audits in Windows. Keep reading to learn how focusing on critical paths and applying the right System Access Control Lists (SACLs) can help you capture events that actually matter to your operations.

How to conduct precise file and folder access audits in Windows

Effective file audits require focus and a clear strategy. It can be tempting to conduct a broad audit and hope for the best, but this approach only leads to more noise and confusion.

Below is a playbook you can use to conduct targeted file and folder access audits in Windows.

📌Prerequisites

• Administrative access to the Group Policy Management Console (GPMC) for file servers.
• A comprehensive inventory of all critical folders or paths to monitor, along with their respective data owners.
• A log collection strategy using Windows Event Forwarding (WEF) or Windows Event Collector (WEC), with sufficient storage to support Security logs.
• A reporting template that includes key metrics for monthly stakeholder reviews.

Step 1: Enable advanced audit policy on file servers

📌Goal: generate detailed, trustworthy access events for file operations.

Actions:

1. Open the Group Policy Management Console (GPMC) and create or edit a GPO linked to your file servers.
2. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access.
3. Enable Audit File System and set it to Success and Failure for comprehensive coverage.
   • As an option, enable Policy Change and Account Management auditing to trace user changes and configurations.
4. Apply the GPO and validate it on target servers using: auditpol /get /category:*

📤Outcome: Security logs with rich, actionable file access events.

Step 2: Add SACLs where it matters

📌Goal: Capture high-value activity without overwhelming the logs.

Actions:

1. On each critical folder, right-click and navigate to Properties → Security → Advanced → Auditing.
2. Add entries for service accounts and use groups with access to the folder.
3. Audit the following access types as needed:
   1. Create files/folders
   2. Write data
   3. Delete
   4. Read attributes
   5. Change permissions
4. Configure the scope of the audit to This folder, subfolders, and files, if necessary.

📤Outcome: Events are generated only for relevant folders and access types.

💡Tip: Avoid applying SACLs at the root of entire volumes unless necessary to reduce noise.

Step 3: Collect and normalize events

📌Goal: Make audit evidence durable and queryable.

Actions:

1. Set up Windows Event Forwarding (WEF) or Windows Event Collector (WEC) to forward security log events from a file server to a collector.
2. Normalize key fields such as server, path, object type, subject user, access mask, and result for analysis.
3. Configure log size and retention policies to align with your review cadence.

📤Outcome: A centralized event storage for queries, alerts, and audits.

Step 4: Create detections and alerts

📌Goal: Transform raw events into actionable security insights.

High-value detection patterns:

• Bulk delete or encryption-like behavior
  • 4663 events with Delete access by one user on one path in a short time.
• Permission changes
  • 4670 events on critical shares or inheritance breaks.
• Unusual access
  • New or external identities accessing protected paths.
• Share-level anomalies
  • 5145 events from unexpected sources or IPs.

📤Outcome: Timely alerts tied to clear next steps for investigation or remediation.

Step 5: Report and review monthly

📌Goal: Demonstrate control and drive continuous improvement.

Actions:

1. Use your report template to summarize top actors, top paths, permission changes, deletions, and denials.
2. Track exceptions and establish expiry dates for temporary access.
3. Review noisy paths and adjust SACLs or filters to reduce irrelevant logs.

📤Outcome: An audit-ready report and a roadmap for fine-tuning and improving your file access monitoring.

A quick breakdown of key Windows Security Event IDs

Event IDs are rich with information, but they can be hard to understand without context. Here’s a quick breakdown of the Windows event logs mentioned in our guide and what they mean:

4663 – File Access Attempt

These events log when a user or process successfully accesses a file or folder. It records the full path of the accessed file or folder, the type of access, who performed the action, and the application used.

4656 – Handle Requested

This logs whenever a user or process requests access to an object, even if the access is denied later. It can help you identify intent, especially in failed access attempts.

4660 – Object Deleted

The log confirms if a file or folder was deleted. It documents what was deleted and who deleted it. You can use these Event IDs to track unauthorized deletions.

4670 – Permissions Changed

These events document changes to the Discretionary Access Control List (DACL) of an object. It allows you to detect privilege escalation and identify potential misconfigurations in sensitive paths.

5146 – Network Share Access

This event logs access to shared folders over the network, which can be useful for detecting lateral movement and unauthorized access requests from other machines.

Automating file server monitoring with NinjaOne

While you can use Windows native tools to manually conduct file server audits, NinjaOne has powerful features that can help you simplify this process. Here’s how:

• Deployment at scale: NinjaOne makes standardizing audit settings across multiple file servers easier by pushing baseline configurations and verifying audit policy compliance.
• Real-time monitoring and alerts: NinjaOne provides MSPs with comprehensive visibility into file activity by forwarding security events into a centralized library and setting up alerts for suspicious activities like bulk file deletions and unexpected permission changes. It can also generate detailed tickets packed with actionable insights for remediation.
• Prevention and access control: NinjaOne can help you prevent potential data breaches by implementing least privilege Access Control Lists (ACLs).
• Evidence and reporting: NinjaOne turns raw data into insights by automatically attaching event exports to support tickets. It also allows you to build dynamic dashboards that track key events, such as file deletions, permission changes, high-activity file paths, and access exceptions set by clients.

Optimizing Windows file access auditing for better visibility

Native Windows auditing can be a powerful monitoring tool, but only when used with intention. By applying the right audit policies, setting up SACLs to critical paths, and centralizing key events, you gain complete visibility into file and folder activity without overwhelming your team.

Pair this focused approach with proactive detection, prevention controls, and a continuous loop of fine-tuning, and you can build a sustainable audit strategy that can strengthen your security posture and support regulatory compliance.

Related topics:

• Windows File Server Configuration: A Step-by-Step Guide
• How to Configure Protected Folders for Controlled Folder Access in Windows 10
• How to Allow or Deny Apps Access to File System in Windows 10/11
• How to Enable or Disable Controlled Folder Access in Windows 11