Event Details
User Activity->Permission Changes->File System Permission Changes->InTrust Plug-in for File Access->Folder Permission Changes->EventID 2306 - Folder ownership changed locally.
EventID 2306 - Folder ownership changed locally.
 Sample: 
Event Type:     SuccessAudit
Event Source:   Quest File Access Audit Source
Event Category: Local Access
Event ID:       2306
Date:           10/28/2009
Time:           09:59:07
User:           RESEARCH\Alebovsky
Computer:       SERVER
Description:    
Object owner changed: 

	Primary User Name: ALebovsky 

	Primary User Domain: RESEARCH 

	Client User Name: ALebovsky 

	Client User Domain: RESEARCH 

	User Logon ID: (0x0,0x43A4F) 

	Process: C:\WINDOWS\explorer.exe 

	Object Type: File 

	Object Path: C:\documents\Book.xls 

	Original Owner: BUILTIN\Administrators 

	New Owner: RESEARCH\ALebovsky 

	Transaction ID:
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Quest File Access Audit
Filtering Field Equals to Value
Category ITFA:Local Access
Source Quest File Access Audit Source
EventId 2306
Expression20 RemoveCR(String20) in ('Folder')
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime
Who Account or user name under which the activity occured. Primary User Name ALebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Folder Ownership Changed" Folder Ownership Changed
Where The name of the workstation/server where the activity was logged. Computer
Where From The name of the workstation/server where the activity was initiated from. Computer DC1
Severity Specify the seriousness of the event. "High" High
WhoDomain -
WhereDomain -
Object Type The type of object whose permissions were changed (e.g. AD object, file, registry, etc.) Object Type File
Object Name The name of the object whose permissions were changed (e.g. full system path to the file or folder) Object Path C:\documents\Book.xls
To Whom Account whose access permissions to the object were changed New Owner RESEARCH\ALebovsky
Access Type Category AttestationReview
Comments
You must be logged in to comment