North America: +1 (646) 257-3449
Global: +91-44-2471 7142
Support Hours (M - F) : 9am - 8pm IST (GMT+5:30)
Current Time :  0:00:00 pm IST (GMT+5:30)
NTFS Change Auditor
Home :: Products :: Windows :: NTFS Security Management Suite :: NTFS Change Auditor

NTFS Change Auditor

DownloadRequest QuoteBuy Now

What permissions or privileges are required to view NTFS shared folder change information of Windows servers/workstations using NTFS Change Auditor?

By default, NTFS Change Auditor uses the currently logged on user context to connect to a domain/server. If the currently logged on user does not have sufficient permissions, it uses the alternate domain credential (having domain administrator privileges) for managing all computers in each domain specified in the Domain Credentials Configuration Settings. In this case, NTFS Change Auditor establishes a session with the destination domain/server, using the specified user credential. NTFS Change Auditor requires the currently logged on user or the provided user credential to be member of local administrators group in the configured hosts to read event logs and report NTFS changes.

What are the prerequisites needed to run NTFS Change Auditor?

To use the NTFS Change Auditor application effectively, ensure the following points:

How can I configure SACL auditing for Folder or a File?

To Setup SACL auditing for Folder or File, perform the following steps.

How long can I keep the Change History?

You can keep that data as long as it is required. NTFS Change Auditor stores several years of change data in database for security, compliance and regulation purposes. You may also clean up some of the history using the Cleanup tool.

What happens if there is an event flooding?

Event flooding may cause some events to get missed out from storing in the application database. This will result in some loss of change data for folders or files while generating the reports. Event flooding may happen due to sudden significant changes across folders and files that are configured for change tracking with SACL auditing settings enabled.

Why am I getting empty data in the reports even after enabling auditing and also having 'Administrators' group membership?

This may be due to Windows Firewall setting that disallows reading of event log data from servers and workstations. Ensure that the remote event log read is allowed by the Windows Firewall in target servers and workstations by performing the following steps:

How can I monitor those who have accessed my company’s critical folders and files?

Enable the SACL auditing as mentioned in question 3. You can monitor who has accessed the critical folders and files by doing the following actions:

Warning: Enable SACL Auditing for Read attributes only for the critical folders and files. Otherwise auditing this event on a large number of folders, say, on your root folder or other unwanted folders, may cause Event flooding.