By default, NTFS Change Auditor uses the currently logged on user context to connect to a domain/server. If the currently logged on user does not have sufficient permissions, it uses the alternate domain credential (having domain administrator privileges) for managing all computers in each domain specified in the Domain Credentials Configuration Settings. In this case, NTFS Change Auditor establishes a session with the destination domain/server, using the specified user credential. NTFS Change Auditor requires the currently logged on user or the provided user credential to be member of local administrators group in the configured hosts to read event logs and report NTFS changes.
To use the NTFS Change Auditor application effectively, ensure the following points:
To Setup SACL auditing for Folder or File, perform the following steps.
After enabling the SACL auditing as mentioned in question 3, you can track the permissions changes by configuring the event ID 4670, folder or file for which you want to track changes in Data Collector Settings.
After enabling the SACL auditing as mentioned in question 3, you can track ownership changes by configuring the event ID 4670, folder or file for which you want to track changes in Data Collector Settings.
After enabling the SACL auditing as mentioned in question 3, you can monitor read/write/delete actions by configuring the event IDs 4663, 5140 and folder, file or a share for which you want to track changes in Data Collector Settings.
Yes, you can track the changes made to NTFS Shares alone by configuring the Event IDs 5140, 5142, 5143 and 5144 in Data Collector Settings.
Yes, you can keep a complete history of change data for the selected folders and files in the application database for several years.
You can keep that data as long as it is required. NTFS Change Auditor stores several years of change data in database for security, compliance and regulation purposes. You may also clean up some of the history using the Cleanup tool.
Yes, you can get real time alerts through emails for any changes made to files and folders.
Event flooding may cause some events to get missed out from storing in the application database. This will result in some loss of change data for folders or files while generating the reports. Event flooding may happen due to sudden significant changes across folders and files that are configured for change tracking with SACL auditing settings enabled.
No, the application collects only the relevant event log records that pertain to the changes detected in the configured hosts.
‘NTFS Listener Service’ gets restarted by the application automatically in the following scenarios:
Yes, you can configure event IDs only for Security event log data collection. The application allows you to do this by optionally allowing you to Send E-mail in ‘Event Configuration – Add Event Information’ dialog.
You may use the Cleanup Change History tool in the application to cleanup your database.
This may be due to Windows Firewall setting that disallows reading of event log data from servers and workstations. Ensure that the remote event log read is allowed by the Windows Firewall in target servers and workstations by performing the following steps:
Enable the SACL auditing as mentioned in question 3. You can monitor who has accessed the critical folders and files by doing the following actions:
Warning: Enable SACL Auditing for Read attributes only for the critical folders and files. Otherwise auditing this event on a large number of folders, say, on your root folder or other unwanted folders, may cause Event flooding.
I found Dockit product through SharePoint.com and found it extremely useful. We used Dockit to import hundreds of documents into SPS. Users were in desperate need for them but refused to take the time to upload them. Dockit saved us the upload time, and more importantly, made the information available in a timely fashion. Small issues were worked out quickly by a capable and dedicated customer support staff.
We find that Dockit is an extremely valuable tool for migrating intranet content to SharePoint Portal Server. When you are faced a large number of documents to migrate each of which has to be populated with metadata, Dockit reduces considerably the effort involved in publishing information. Typically it reduces the time a user has to spend per document by 75%, by enabling documents to be published in batch mode rather than real time through the standard SPS interface.
The Dockit application proved extremely useful for importing large numbers of files and folders quickly and easily into SharePoint. Previously, we were having to import files individually, but through using Dockit we were able to deal with huge directories in a fraction of the time that it would have taken. An excellent tool, really glad we found it.
We used Dockit to import over a thousand engineering documents, preserving the folder structure. It was simple to use and saved us a lot of time.