Event Details
User Activity->Permission Changes->File System Permission Changes->InTrust Plug-in for File Access->Common File System Permission Changes->EventID 274 - Object permissions changed.
EventID 274 - Object permissions changed.
 Sample: 
Event Type:     SuccessAudit
Event Source:   Quest File Access Audit Source
Event Category: Local Access
Event ID:       274
Date:           10/28/2009
Time:           10:00:27
User:           RESEARCH\Alebovsky
Computer:       SERVER
Description:    
Object permissions changed: 

	Primary User Name: ALebovsky 

	Primary User Domain: RESEARCH 

	Client User Name:  

	Client User Domain:  

	User Logon ID: (0x0,0x43A4F) 

	Process: C:\WINDOWS\explorer.exe 

	Object Type: File 

	Object Path: C:\documents\Log.txt 

	ACE Action: ACE modified 

	ACE Type: Allow permission 

	Trustee: BUILTIN\Administrators 

	Inherited: No 

	Apply To: This object 

	Old Access Type: Full Control 

	New Access Type: Read, Write 

	Transaction ID:
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Quest File Access Audit
Filtering Field Equals to Value
Category ITFA:Local Access
Source Quest File Access Audit Source
EventId 274
Expression RemoveCR(String20) not in ('File', 'Folder')
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Primary User Name ALebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "File System Object Permissions Changed" File System Object Permissions Changed
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. Computer DC1
Severity Specify the seriousness of the event. "High" High
WhoDomain -
WhereDomain -
Object Type The type of object whose permissions were changed (e.g. AD object, file, registry, etc.) Object Type File
Object Name The name of the object whose permissions were changed (e.g. full system path to the file or folder) Object Path C:\documents\Log.txt
To Whom Account whose access permissions to the object were changed Trustee BUILTIN\Administrators
Access Type Category AttestationReview
Comments
You must be logged in to comment