Built-in Microsoft features and lightweight RMM tools can be used to track file access changes, reducing cost and complexity. This is especially important for small-to-medium businesses (SMBs) that don’t rely on enterprise-grade Security Information and Event Management (SIEM) solutions.
This article is useful if you want to track file access changes effectively with minimal overhead. Read on and learn how to use native tools and modern endpoint platforms to monitor authorized use.
Leverage Microsoft Windows features to track access changes
Windows PCs have tools that can track permissions, export logs, and run scripts. Consider your organization’s technical limits before you run through the steps.
📌 Prerequisites:
- Administrative privileges
- Access to file servers (Windows Server) and Microsoft 365 tenant
- Familiarity with Group Policy or local security policy configuration
- Storage or documentation system (NinjaOne Docs, IT Glue, SharePoint) for log exports and review
Step 1: Enable Windows file access change auditing
To start tracking file access and permission changes, enable the Advanced Audit Policy Configuration on the Group Policy Editor. This allows Windows to record access attempts and permission changes in your Security log (eventvwr). Here’s how:
📌 Use Cases: Use this for file access permission tracking.
📌 Prerequisites: Windows 10/11 Pro, Enterprise, or Education
- Press Win + R, type gpedit.msc, and press Ctrl + Shift + Enter.
- Navigate to:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access
- Enable Audit File System for both Success and Failure events.
- The Security log will record the following:
- Event ID 4670: Permission changes
- The Security log will record the following:
- Click Apply, then OK.
You can read Microsoft’s official documentation on audit policies here.
Step 2: Use PowerShell to export key events
Utilize powerful scripts to automatically check your security logs for relevant Event IDs.
📌 Use Cases: Use this to gather data fast and create readable reports.
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- Run the following:
Get-WinEvent -FilterHashtable @{
LogName = 'Security';
Id = 4670;
StartTime = (Get-Date).AddDays(-7)
} | Export-Csv "C:\AuditLogs\PermissionChanges.csv" -NoTypeInformation
Replace <FileName> with the name of your exported CSV file.
You can also use the Task Scheduler to run weekly PowerShell queries for automated file access checks.
Step 3: Monitor file access in Microsoft 365
In Microsoft-heavy environments, optimize access tracking with tools like Microsoft Purview. Its audit logs provide visibility on file access and permission changes across SharePoint, OneDrive, and Teams, letting IT professionals mitigate risk and maintain compliance.
📌 Use Case: Ideal for organizations managing sensitive data in Microsoft 365.
With Microsoft Purview
- Go to the Microsoft Purview Compliance Portal.
- Navigate to:
Audit > Start recording user and admin activity
- Use the Audit Search to filter relevant user activities (e.g., FileAccessed).
- Export results to CSV for reporting or analysis.
- Set alert policies for sensitive actions (e.g., external sharing, permission changes).
Without Microsoft Purview
Even without a Microsoft 365 license for Purview, power users can still monitor file-sharing activity through the Unified Audit Log (Available in Microsoft 365 E3 and some Business plans). Access this through the Security & Compliance Center to easily check who viewed which files, and recently shared documents.
Step 4: Build a lightweight review workflow
Keeping a record of all permission changes is essential for accountability, context, and uninterrupted productivity. Track file access change with a tracker table with the following sections:
- Date: When the file access change occurred
- User: Relevant staff involved in the change
- File/Folder: Specific file or folder whose access rights got modified
- Action: The change that was made to the file’s access settings
- Notes: Relevant details about file access changes that are reviewed quarterly by an assigned team member
Step 5: Integrate alerts without SIEM to track file access changes
Real-time alerts are crucial for taking timely action, whether it involves missing permissions or your IT incident response. Here’s how to seamlessly track file access and permission changes with scripts that notify you when an action is detected.
📌 Use Cases: Use this step to track file access changes via email alerts.
📌 Prerequisites: Windows 10/11 Pro, Enterprise, or Education. Email service configured for PowerShell (e.g., SMTP relay or internal mail server)
- Enable file access auditing via Group Policy.
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- Run the following:
$MaxEvents = 50 # Reduced from 100 to minimize email noise
$LogName = "Security"
$EventIds = @(4663, 4670) # Specific event IDs to monitor
$SensitiveKeywords = @("administrator", "password", "confidential", "secret")
*Filtering and Processing Function*
function Process-SecurityEvents {
# Retrieve and filter events
$events = Get-WinEvent -LogName $LogName -MaxEvents $MaxEvents |
Where-Object {
$_.Id -in $EventIds -and
# Additional filtering to reduce false positives
$_.TimeCreated -gt (Get-Date).AddHours(-1)
} |
ForEach-Object {
# Additional context and sanitization
$safeMessage = $_.Message -replace '\s+', ' '
$containsSensitive = $SensitiveKeywords | Where-Object { $safeMessage -match $_ }
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
Id = $_.Id
Message = if ($containsSensitive) { "Sensitive content detected" } else { $safeMessage }
SensitiveFound = $containsSensitive ? $true : $false
}
}
# Only send email if events are found
if ($events) {
$body = $events |
Select-Object TimeCreated, Id, Message |
Format-Table -AutoSize |
Out-String
# Enhanced email parameters with error handling
$emailParams = @{
To = "[email protected]"
From = "[email protected]"
Subject = "Security Event Alert - $(Get-Date)"
Body = $body
SmtpServer = "smtp.company.com"
ErrorAction = "Stop"
}
try {
Send-MailMessage @emailParams
Write-Log "Security events email sent successfully"
}
catch {
Write-Log "Failed to send security event email: $_"
}
}
}
*Logging Function*
function Write-Log {
param($Message)
$logPath = "C:\Logs\SecurityMonitor\$(Get-Date -Format 'yyyyMMdd')_security.log"
"$(Get-Date) - $Message" | Out-File -Append -FilePath $logPath
}
*Main Execution*
try {
Process-SecurityEvents
}
catch {
Write-Log "Script execution error: $_"
}
- Save the script in a text file and name it FileAccessAlert.ps1. Note its complete file location.
- Press Win + R, type taskschd.msc, and press Ctrl + Shift + Enter.
- Click Create Task.
- Under General, name the task (e.g., “File Access Alert”).
- Under Triggers, set a schedule (e.g., every hour or daily).
- Under Actions, choose:
- Start a program
- Program or script: powershell.exe
- Add arguments: -ExecutionPolicy Bypass -File “C:\Scripts\FileAccessAlert.ps1”
- Save and test the task.
- Archive email alerts in a shared knowledge base for compliance efforts.
🥷🏻 | Boost IT efficiency with at-a-glance documentation that lowers security risks.
Best practices for file access tracking
| Best practice | How it brings value | Example scenarios |
| Enable Windows file auditing | Allows IT professionals to monitor file access changes through built-in system events | An MSP enables file access tracking to detect unauthorized access on high-risk financial folders. |
| Use PowerShell exports | Detects and exports system event data to simplify file access monitoring | A technician schedules a PowerShell export script to send bi-weekly reports to compliance channels. |
| Leverage Microsoft 365 audit logs | Extends tracking efforts to cloud-based files and folders | A comprehensive QBR report shows how HR folders on SharePoint were accessed externally. |
| Maintain an access change register | Ensure client-ready transparency reports | An IT service desk detected recent permission changes on sensitive folders and prompted a client to check in. |
| Automate alerts for anomalies | Reduces Mean Time To Respond (MTTR) | Custom script detects after-hours access to restricted folders; automatically sends an email to security operations. |
💡Tip: Here’s a simplified PowerShell script that can monitor file system access during off-hours (e.g., 6 PM – 8 AM):
$folderPath = "C:\\SensitiveData"
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = $folderPath
$watcher.IncludeSubdirectories = $true
$watcher.NotifyFilters = [System.IO.NotifyFilters]::FileName,
[System.IO.NotifyFilters]::DirectoryName,
[System.IO.NotifyFilters]::LastWrite,
[System.IO.NotifyFilters]::LastAccess,
[System.IO.NotifyFilters]::Security
$watcher.EnableRaisingEvents = $true
$action = {
$currentHour = (Get-Date).Hour
if ($currentHour -lt 8 -or $currentHour -gt 18) {
$subject = "After-Hours Access Detected"
$body = "File event: $($Event.SourceEventArgs.ChangeType) on $($Event.SourceEventArgs.FullPath) at $($Event.TimeGenerated)"
Send-MailMessage -To "[email protected]" -From "[email protected]" -Subject $subject -Body $body -SmtpServer "smtp.company.com"
}
}
Register-ObjectEvent $watcher "Changed", "Created", "Deleted", "Renamed" -Action $action
Automation touchpoint example
Run this PowerShell Script with admin rights to pull SharePoint audit logs from Microsoft 365. Schedule it weekly to retrieve audit logs on cloud-based files and folders:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -RecordType SharePointFileOperation |
Export-Csv "M365FileAccessLog.csv" -NoTypeInformation
💡Note: This script will pull all SharePoint/OneDrive-related audit events from the past seven days, which will need considerable overhead to analyze.
Avoid log overload by centralizing exported logs with endpoint management platforms that include dedicated ticketing systems, allowing you totrack file access changes with ease.
Audit file access with NinjaOne
NinjaOne empowers IT professionals with an RMM platform that lets your team remotely manage device health and software inventory within a single pane of glass. NinjaOne’s features make the process easier by:
- Setting scheduled scripts across specific endpoints for you.
- Providing a dedicated knowledge base for audit exports.
- Track system-level changes, and unauthorized software installations (and optionally remove it automatically).
- Simplifies device health reports with client-facing dashboards.
Audit file share access with automated solutions
Easy, low-cost file audit logging is possible through built-in features, but can be elevated with cloud-native RMM platforms. While overhead should be minimized, these services can offer modern tools beyond the starter kit, giving you the edge over competitors without breaking the bank on SIEMs.
Like built-in encryption, file permission management gives your organization a vital layer of security and surveillance. Monitor it all from an all-in-one dashboard that prioritizes customization and versatility for better control.
Related topics:
