Event Details
User Activity->Permission Changes->File System Permission Changes->InTrust Plug-in for File Access->Folder Permission Changes->EventID 2305 - Folder ownership changed remotely.
EventID 2305 - Folder ownership changed remotely.
 Sample: 
Event Type:     SuccessAudit
Event Source:   Quest File Access Audit Source
Event Category: Remote Access
Event ID:       2305
Date:           10/28/2009
Time:           10:21:29
User:           RESEARCH\CBrown
Computer:       SERVER
Description:    
Object owner changed: 

	User Name: CBrown 

	User Domain: RESEARCH 

	User Logon ID: (0x0,0xF157E) 

	User IP Address: 10.0.0.1 

	Object Type: File 

	Object Path: C:\documents\Compaign.doc 

	Original Owner: BUILTIN\Administrators 

	New Owner: RESEARCH\CBrown 

	Transaction ID:
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Quest File Access Audit
Filtering Field Equals to Value
Category ITFA:Remote Access
Source Quest File Access Audit Source
EventId 2305
Expression RemoveCR(String20) in ('Folder')
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime
Who Account or user name under which the activity occured. User Name CBrown
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Folder Ownership Changed" Folder Ownership Changed
Where The name of the workstation/server where the activity was logged. Computer
Where From The name of the workstation/server where the activity was initiated from. User IP Address 10.0.0.1
Severity Specify the seriousness of the event. "High" High
WhoDomain -
WhereDomain -
Object Type The type of object whose permissions were changed (e.g. AD object, file, registry, etc.) Object Type File
Object Name The name of the object whose permissions were changed (e.g. full system path to the file or folder) Object Path C:\documents\Compaign.doc
To Whom Account whose access permissions to the object were changed New Owner RESEARCH\CBrown
Access Type Category AttestationReview
Comments
You must be logged in to comment