Event-o-Pedia EventID 274 - File access rights changed locally.

	Event Details
	User Activity->Permission Changes->File System Permission Changes->InTrust Plug-in for File Access->File Permission Changes->EventID 274 - File access rights changed locally.

EventID 274 - File access rights changed locally.

Linked Event:

EventID 274 - Object permissions changed.

Sample:

Event Type:     SuccessAudit
Event Source:   Quest File Access Audit Source
Event Category: Local Access
Event ID:       274
Date:           10/28/2009
Time:           10:00:27
User:           RESEARCH\Alebovsky
Computer:       SERVER
Description:    
Object permissions changed: 

	Primary User Name: ALebovsky 

	Primary User Domain: RESEARCH 

	Client User Name:  

	Client User Domain:  

	User Logon ID: (0x0,0x43A4F) 

	Process: C:\WINDOWS\explorer.exe 

	Object Type: File 

	Object Path: C:\documents\Log.txt 

	ACE Action: ACE modified 

	ACE Type: Allow permission 

	Trustee: BUILTIN\Administrators 

	Inherited: No 

	Apply To: This object 

	Old Access Type: Full Control 

	New Access Type: Read, Write 

	Transaction ID:

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Quest File Access Audit

Filtering Field	Equals to Value
Category	ITFA:Local Access
Source	Quest File Access Audit Source
EventId	274
Expression20	RemoveCR(String20) in ('File')

Field Matching

Field	Description	Stored in	Sample Value
When	At what date and time a user activity originated in the system.	DateTime
Who	Account or user name under which the activity occured.	Primary User Name	ALebovsky
What	The type of activity occurred (e.g. Logon, Password Changed, etc.)	"File Access Rights Changed"	File Access Rights Changed
Where	The name of the workstation/server where the activity was logged.	Computer
Where From	The name of the workstation/server where the activity was initiated from.	Computer	DC1
Severity	Specify the seriousness of the event.	"High"	High
WhoDomain		-
WhereDomain		-
Object Type	The type of object whose permissions were changed (e.g. AD object, file, registry, etc.)	Object Type	File
Object Name	The name of the object whose permissions were changed (e.g. full system path to the file or folder)	Object Path	C:\documents\Log.txt
To Whom	Account whose access permissions to the object were changed	Trustee	BUILTIN\Administrators
Access Type		Category	AttestationReview