Windows eventlog and log file - windows

How i can generate a log file which contains which user edited and which file in a shared folder. multiple users is having rights to read/write/delete, No .exe execution is happening.
Please help how i can create that kind of log file.

Turn on Object Access auditing using Local Security Policy (under Local Policies/Audit Policy) or ask Active Directory administrator to configure this setting using a GPO.
Using Explorer, right click on the folder where you want auditing and select Security
Click Advanced button and then select Auditing Change Auditing tab
Click Add and add 'EveryOne' group
From the list of available entries, select Write/AppendData (and Delete, DeleteFolder)

Related

Windows Share Permissions for Domain Admins not working

I'm setting up a new share that I've enabled enumerated access on. I'm looking to limit people access to files on a certain folder. I've setup other folders that restrict access unless your in a security group. This folder thats giving me trouble was copied over from another network share. When I create a folder from scratch everything works fine so I'm curious if thats whats giving me issues.
The folder I'm trying to access is
x:/Limerock/Projects/"Project Name"
If I go into the security tab and check my effective access it says that I have full control:
The user I'm signed into is joe.jankowiak which is part of the Domain Admins security group. Domain Admins owns all the folders in above this and has full control.
When trying to enter the folder it tells me I need to request permission. I'm an admin so it goes through and adds "joe.jankowiak" to the full control list in the security permissions.
Why is it not taking my domain admin credentials to enter this folder? I'm seeing other weird behavior such as it saying "Unable to display current owner." and "You must have read permissions to view the properties of this object". Clicking continue lets me see it.
Everything looks right, I've setup 6 other new folders in the exact same manner and they work fine. I've signed in and out many times but it hasn't fixed it. Weird enough, another computer I signed into lets me access the folder just fine. Is there a way to reload file permissions since logging in/out doesn't seem to do it. Is there a command like gpupdate that I should run?
I have seen this before andyou might need to do the following operations in order:
-Replace Ownership on the folder and replace all child object ownership too=>apply or OK
-Close the security properties and re-open it again
-Add Domain Admins as full control and Replace all child object permissions... =>apply/OK
That should do it

audit folder which group gives you access

https://www.online-tech-tips.com/windows-xp/how-to-track-and-monitor-who-and-when-someone-accesses-a-folder-on-your-computer/
i followed this guide to add auditing to a specific folder. I added "Everyone" to the audit users.
When i now change something on the folder (create a folder) and see activity in the windows event log.
But where can i read which group gave me access to the specific folder?
Is see stuff like this : D:(A;OICI;FA;;;WD) on Access Reason.
Is there some kind of cryptic translation of the "EveryOne" "Group"
What i need to know basically; Which users are using a specific directory and have access because they are in "EveryOne"
We want to remove "EveryOne" from a specific folder, but need to know which users are using the "group", so we can put them in a Different Group
The above text is formatted using the Security Descriptor Definition Language (SDDL https://msdn.microsoft.com/en-us/library/windows/desktop/aa379567(v=vs.85).aspx). Refer https://msdn.microsoft.com/en-us/library/windows/desktop/aa374928(v=vs.85).aspx to decode your sddl string.
'D:' stands for DACL is changed or created.
The number of parantheses pairs denotes number of the number access control entries added or modified.(in this case 1).
OICI - This indicates that the ACE applies to this folder, its files and its subfolders.
FA denotes what permission is actually provided (All Access).
Finally WD stands for 'Everyone'.
Also refer https://blogs.technet.microsoft.com/askds/2008/05/07/the-security-descriptor-definition-language-of-love-part-2/

How to deny read access to a file for all users except a group in Team Foundation Server?

I want to protect a file in TFS (not even read access).
Do we have an option in Team Foundation Server to hide a file from all except for a particular group?
If you edit the permissions for that single file you can change the reader and contributor groups from "inherit" to "not inherit". You can then change all of the permissions for all of the groups to "not configured" to remove permission without denying. Then add your special group and set "allow"
Yes you can deny all permissions of a particular group for a specific with TFS 2013.
Use the Source Control Explorer to find the file of interest. Right click on that file and select "Advanced - Security...". A "Properties for " window will be displayed with the "Security" tab selected. Select the group of interest from those listed [or create it if it does not yet exist]. Then in the "Permissions section, select the "Deny" checkbox for all permissions starting with the "Read" permission.
The "Deny" permission has precedence over the "Allow" permission, so this should enable you to obtain the desired end result.

why permissions section for Database user is empty in MS Sql server 2008R2

NOTE: I am note DB Admin and I am not that much in sql server security
I am using MS SQL SERVER 2008R2
What I want to do is to give a user a minimal permissions or just what he required
I have a local user in my windows and I add this user in the logins of the database after that I went to this user in my specific database and try to change his set of permissions but the section is coming empty
why it is coming empty?
and how to do this, I mean giving him the permissions that he just need nothing more?
Please I want to do this from the user interface without T-sql
EDIT
I Just want to give the user read, write, execute nothing more
and also I need to know more about how to control users permissions in more details
A. Set up Read/Write
Go to Security/Logins and find your login, double click it
Go to user mapping, and click on the database that you have access to
In the bottom pane under 'Database Role Membership', tick db_datareader and db_datawriter
This gives the user Login SELECT, INSERT, UPDATE, DELETE
B. Revoke DELETE and grant EXECUTE
Create a role that does this:
Go to your database / Security / Roles
Right click, New / Database Role
Give the role a name, I will use executor for this example and press OK
I don't know how to do the next steps in SSMS, You'll need to do it in T-SQL:
Start a new query in your database
Type this and press F5:
GRANT EXECUTE TO executor;
DENY DELETE TO executor;
Now repeat A3 but select your newly created role, 'executor'
Every new user (or group) that you create needs to be a member of these three roles. The best practice is to add a windows group to SQL Server once, and add users to that windows group.
Lastly test this - I don't know for sure that it works.
With regards to the database user securables:
You have to explicitly populate this list to see what it contains. It doesn't populate automatically. Press Search and search for some objects (i.e. all objects belonging to the schema dbo). Now you have a list of objects in the top. Click on an object and click the 'Effecttive' tab on the bottom. This is the users effective (final) permissions for this object. If you want to override this at the object level you can assign something on the explicit tab
Had similar problem after our MSSQL Server was restored on a new server and wanted to set explicit permissions for a user in a DB.
Not sure how to make it default (as it appears to have been previously), but basically just hit the search button in the Securables tab you show to search for "All objects of the types..." and choose the Databases object and click ok / search. You should now see securables for that specific database and can set explicit permissions as well as view existing "effective" permissions.

New folder has insufficient permissions (Mac OS X Server)

I have configured the workgroup manager on Mac OS X Server (10.5.8) with 5 network users in 2 groups. Now I notice that when a network user makes a new folder, the folder is created with read & write permissions for that user, but the group to which the user belongs (as well as "everyone") has only read permissions and other network users are not able to add files or change things in the folder.
I found something about changing the umask by adding a launchd-users.conf file configuring the umask default setting. I did that on the server but that doesn't change anything.
It's a very annoying issue and I hope it's easy to fix. I'm not an expert, so I'm not sure if you know enough with the details above. If necessary I can provide further details.
Thanks a lot!
The basic problem is that the standard unix (/posix) permissions have no good way to control inheritance. Fortunately, there is a solution: grant access to the group via access control list (ACL) extended permissions, which do allow inheritance.
I don't have a 10.5 server handy, but I think the interface is pretty similar to 10.6: in Server Admin -> server name in the sidebar -> File Sharing icon in the top bar -> navigate to the folder/share point you want to grant group access to. If necessary, select the Permissions tab under the file navigator. Click the "+" button uder the permissions list to open the users & groups floating window, select Groups in the window, then drag the group you want to grant access to into the ACL (not POSIX) part of the permissions list. Change the Permission for the new ACL entry to "Read & Write", then click Save.
Note that the new ACL entry should have "Applies To" set to "This folder, Child folders, Child files, All descendants", which is what you want; but that only actually applies to new files/folders as they're created. To apply to the current contents, pull down the "action" (gear icon) popup menu under the permissions list, select "Propagate permissions", and propagate the ACL permissions to the current contents of the folder.
I made a new testfolder and ran the ls -le command on the higher level folder and got this as a result:
drwxr-xr-x+ 2 stein ACCOUNTING 68 Nov 14 09:18 Testfolder
0: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
1: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
2: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
3: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
4: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
5: group:ACCOUNTING inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
6: group:ADMINISTRATION inherited allow list ,add_file ,search ,delete,add_subdirectory ,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
I think these are the ACL permissions right? I'm not sure how to get the POSIX permissions via command line? If this is not what you need to know, can you let me know how to get the information you need, as I'm not an expert obviously.
When I told you before what the group and user permissions were, I just right mouseclicked the folder and checked "get info". I don't know if these are the POSIX permissions or not. If I check the info: I see "spotlight" about 4 times, the group "ACCOUNTING" once with custom rights and once with "Read" rights, the user "John" that created the folder with "Read & write" rights, "everyone" with "Read" rights...

Resources