Event-o-Pedia EventID 273 - File access rights changed remotely.

	Event Details
	User Activity->Permission Changes->File System Permission Changes->InTrust Plug-in for File Access->File Permission Changes->EventID 273 - File access rights changed remotely.

EventID 273 - File access rights changed remotely.

Linked Event:

EventID 273 - Object permissions changed.

Sample:

Event Type:     SuccessAudit
Event Source:   Quest File Access Audit Source
Event Category: Remote Access
Event ID:       273
Date:           10/28/2009
Time:           10:22:40
User:           RESEARCH\CBrown
Computer:       SERVER
Description:    
Object permissions changed: 

	User Name: CBrown 

	User Domain: RESEARCH 

	User Logon ID: (0x0,0x10058A) 

	User IP Address: 10.0.0.1 

	Object Type: File 

	Object Path: C:\documents\Compaign.doc 

	ACE Action: ACE modified 

	ACE Type: Allow permission 

	Trustee: BUILTIN\Administrators 

	Inherited: No 

	Apply To: This object 

	Old Access Type: Full Control 

	New Access Type: Execute, Read, Write 

	Transaction ID:

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Quest File Access Audit

Filtering Field	Equals to Value
Category	ITFA:Remote Access
Source	Quest File Access Audit Source
EventId	273
Expression	RemoveCR(String20) in ('File')

Field Matching

Field	Description	Stored in	Sample Value
When	At what date and time a user activity originated in the system.	DateTime
Who	Account or user name under which the activity occured.	User Name	CBrown
What	The type of activity occurred (e.g. Logon, Password Changed, etc.)	"File Access Rights Changed"	File Access Rights Changed
Where	The name of the workstation/server where the activity was logged.	Computer
Where From	The name of the workstation/server where the activity was initiated from.	User IP Address	10.0.0.1
Severity	Specify the seriousness of the event.	"High"	High
WhoDomain		-
WhereDomain		-
Object Type	The type of object whose permissions were changed (e.g. AD object, file, registry, etc.)	Object Type	File
Object Name	The name of the object whose permissions were changed (e.g. full system path to the file or folder)	Object Path	C:\documents\Compaign.doc
To Whom	Account whose access permissions to the object were changed	Trustee	BUILTIN\Administrators
Access Type		Category	AttestationReview