How to Detect Who Changed a File or Folder Owner

Native Auditing vs. Netwrix Auditor for Windows File Servers
{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Windows File Servers
Native Auditing
Netwrix Auditor for Windows File Servers
Steps
  1. Navigate to the required file share → Right-click it and select "Properties" → Switch to the "Security" tab → Click the "Advanced" button → Go to the "Auditing" tab → Click the "Add" button → Select Principal: "Everyone"; Select Type: "All"; Select Applies to: "This folder, subfolders and files"; Select the following "Advanced Permissions": "Change permissions and "Take ownership".
  2. Run gpmc.msc → Edit "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings.
  3. Go to Local Policies → Audit Policy:
    • Audit object access → Define → Success and Failures
  4. Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:
    • Audit File System → Define → Success and Failures
    • Audit Handle Manipulation → Define → Success and Failures
  5. Go to Event Log → Define:
    • Maximum security log size to 1 GB
    • Retention method for security log to “Overwrite events as needed”
  6. Open Event Viewer → Search the Security Windows Logs for the event ID 4663 with the "File Server" or "Removable Storage" task category and with the "Accesses: WRITE_OWNER" string. "Subject Security ID" will show you who changed the owner of a file or a folder.
Detect Who Changed a File or Folder Owner with Native Auditing
  1. Run Netwrix Auditor → Navigate to “Search” → Click on “Advanced mode” if not selected → Set up the following filters:
    • Filter = “Data source”
      Operator = “Equals”
      Value = “File Servers”
    • Filter = “Details”
      Operator = “Contains”
      Value = “Owner changed"
  2. Click the “Search” button and review who changed file or folder owners.
Detect Who Changed a File or Folder Owner with Netwrix Auditor

To create an alert on file or folder owner changes:

  1. From the search results, navigate to “Tools” → Click “Create alert” → Specify the new alert’s name.
  2. Switch to the “Recipients” tab → Click "Add Recipient" → Specify the email address where you want the alert to be delivered.
  3. Click “Add” to save the alert.
Learn more about Netwrix Auditor for Windows File Servers

Quickly detect changes to file/folder ownership to mitigate the risk of data breaches

Every object on a file share has an owner. A file’s owner controls who has permissions to the object; full access permissions are particularly important because they enable the user to read, copy, delete and relocate the file. Therefore, any change of a file owner increases the risk of unauthorized access that could result in the loss or leakage of sensitive data. IT administrators must continuously monitor every change to a file owner and detect improper changes in order to mitigate the risk of data breaches and compliance failures.

Netwrix Auditor for Windows File Servers delivers complete visibility into what’s happening on your Windows file servers and provides actionable audit data about all changes made to files and folders, including a change of a file owner. The application also provides the current and past values for each change. These values help you quickly detect which file’s owner was changed, the old and the new name of the owner of the file, when and where the change was made, and — most important — who changed a file owner.

Related How-tos
How to Detect File Changes in a Shared Folder How to Detect Who Tried to Modify a File or a Folder on Your Windows File Server How to Track Who Deleted a File from Your Windows File Servers How to Export Folder Permissions to Excel or CSV File How to Get an NTFS Permissions Report How to Get ACL for a Folder