How to allow writing in a new steam folder. Setting folder permissions in Windows

How to enable recording?

Master's answer:

Many users with a limited account are faced with problems that arise when writing files to removable drives. Of course, such troubles can arise if the flash drive is malfunctioning or if there are problems with formatting.

If there is a problem with writing to the drive being used, if the user has a limited account on the computer, you need to change the parameter that prevents writing. To do this, after loading, you need to log into the operating system with rights and the “Administrator” account. Now you need to change your account settings so that the account that has limited capabilities has the ability to copy information to removable media.

Now all that remains is to apply the changes and close the windows using the OK button. After restarting the PC, which is necessary for the changes to take effect, log back into the operating system using your account with a limited account. As a test, copy some file to your removable drive.

It happens that a flash drive is deliberately protected from writing. To eliminate this, carefully consider how the small switch is located on the side of the flash drive - it should be in the Unlocked position. Most often, such actions are required by drives that are used in cameras, phones, players and other devices with SD and MicroSD memory cards.

The card reader switch also requires special attention if it is used as an adapter for connecting a device. And this applies to MicroSD adapters, which are shaped like an ordinary SD card.

Find out if your flash card is password protected? If this is the case, then it needs to be unlocked on the device where it was placed on the block. The presence of a lock on the flash drive will not allow you to write to it.

But it happens that other reasons that cannot be clarified prevent the recording from being made. This means that the flash drive needs to be formatted, and not just standard programs on Windows! To do this, download and install on your PC special utilities, developed by the flash drive manufacturer. Utilities will help you format and fix errors on a removable drive.

In this article we will talk in detail about how you can change access rights to files and folders in Windows 7, as well as how to change the owner of a file or folder. This knowledge will be useful, for example, for organizing home network, to which several users are connected.

The easiest way to change the owner of a file or folder is to use Windows Explorer. Let's see how this can be done.

How to change the owner of a file or folder

Click on the file or folder right click mouse and select the command Properties, then open the tab Safety. Click the button Additionally.

A tab will open Owner.

Click the button Change and a window will open . Now select the desired user or a group in the list Change owner to and click on the button OK.

Let's assume that the required user or group is not in the list. Click the button Other users and groups. Now in the field enter a user or group name.

However, you must enter your name according to special rules, which you can find out by clicking on the link examples.

There is an easier option - click on the button Additionally and then on the button Search. In the window All users and groups on your computer will be found.

All that remains is to select a user or group and click on the button OK. We will return to the previous window, where the user we selected will be indicated.

Click the button OK. Now The main thing– check the box , then click on the button OK. As a result, the folder or file will receive a new owner.

How to change permissions on files or folders

Okay, we've sorted it out with the owners. What about access permissions? Now we have added a new owner, however, what if it is necessary to indicate what exactly he is allowed to do, and why should he not roll his lip? You can also do this using the tab Safety.

Right-click on the file or folder and select the command Properties, then go to the tab Safety. Select in the field Groups or users desired user/group and click on the button Change.

Now in the column Allow and Deny Check the boxes next to the permissions you require. For example, if you need to prevent a user from changing files or folders, check the box in the column Prohibit opposite permission Change. Then click on the button Apply and the ban will come into force.

Computers running operating systems Windows can work with various file systems such as FAT32 and NTFS. Without going into similarities, we can say one thing that they differ in the main thing - the NTFS file system allows you to configure security settings for each file or folder (directory). Those. For each file or folder, the NTFS file system stores so-called ACLs (Access Control Lists), which list all users and groups that have certain access rights to this file or folder. The FAT32 file system does not have this capability.

In the NTFS file system, each file or folder can have the following security rights:

Reading— Allows browsing folders and viewing a list of files and subfolders, viewing and accessing file contents;
Record— Allows adding files and subfolders, writing data to a file;
Read and Execute— Allows browsing of folders and viewing a list of files and subfolders, allows viewing and access to the contents of a file, as well as launching an executable file;
List of folder contents— Allows browsing of folders and viewing only the list of files and subfolders. This permission does not provide access to the contents of the file!;
Change— Allows viewing the contents and creating files and subfolders, deleting a folder, reading and writing data to a file, deleting a file;
Full access- Allows viewing of content, as well as creating, modifying and deleting files and subfolders, reading and writing data, and modifying and deleting a file

The rights listed above are basic. Basic rights consist of special rights. Special rights are more detailed rights, from which basic rights are formed. Using special rights gives you a lot of flexibility when setting access rights.

List of special access rights to files and folders:

Browse Folders/Execute Files— Allows navigation through the folder structure in search of other files or folders, execution of files;
Folder Contents/Reading Data— Allows viewing the names of files or subfolders contained in a folder, reading data from a file;
Reading attributes— Allows viewing of file or folder attributes such as “Read Only” and “Hidden”;
Reading Additional Attributes— Allows viewing additional attributes of a file or folder;
Creating Files/Writing Data— Allows creating files in a folder (applies only to folders), making changes to a file and writing over existing content (applies only to files);
Creating folders / Adding data— Allows the creation of folders within a folder (applies only to folders), adding data to the end of the file, but not changing, deleting or replacing existing data (applicable only to files);
Recording Attributes— Allows or denies changing file or folder attributes such as “Read Only” and “Hidden”;
Writing Additional Attributes— Allows or prohibits changing additional attributes of a file or folder;
Deleting subfolders and files— Allows deletion of subfolders and files even if there is no “Delete” permission (applies only to folders);
Removal— Allows deletion of a file or folder. If a file or folder does not have Delete permission, the object can still be deleted if the parent folder has Delete Subfolders and Files permission;
Reading Permissions- Allows reading permissions on a file or folder such as “Full Control”, “Read” and “Write”;
Changing permissions— Allows you to change permissions for access to a file or folder, such as “Full Control”, “Read” and “Write”;
Change of owner— Allows you to take ownership of a file or folder;
Synchronization- Allows different threads to wait on files or folders and synchronize them with other threads that may occupy them. This permission only applies to programs running in multithreaded mode with multiple processes;

!!!All basic and special rights are both permissive and prohibitive.

All file and folder permissions are divided into two types: explicit and inherited. The mechanism of inheritance involves the automatic transfer of something from a parent object to a child object. In a file system, this means that any file or folder can inherit its rights from its parent folder. This is a very convenient mechanism that eliminates the need to assign explicit rights to all newly created files and folders. Imagine that you have several thousand files and folders on some disk, how can you distribute access rights to them all, sit down and assign them to each? No. The mechanism of inheritance is at work here. We created a folder in the root of the disk, the folder automatically received exactly the same rights as the root of the disk. Changed the permissions for the newly created folder. Then, inside the created folder, they created another subfolder. This newly created subfolder will have rights inherited from the parent folder, etc. etc.

The result of applying explicit and inherited rights will be the actual rights to a specific folder or file. There are a lot of pitfalls. For example, you have a folder in which you allow the user “Vasya” to delete files. Then you remember that in this folder there is one very important file that Vasya should under no circumstances delete. You set an explicit ban on an important file (special ban right "Delete"). It would seem that the job is done, the file is clearly protected from deletion. And Vasya calmly goes into the folder and deletes this super-protected file. Why? Because Vasya has delete rights from the parent folder, which are in in this case are priority.

Try not to use assigning rights directly to files; assign rights to folders.

!!! Try to assign rights only to groups, this greatly simplifies administration. Assigning rights to specific users is not recommended by Microsoft. Don't forget that a group can include not only users, but also other groups.

For example. If the computer is included in a domain, then the “Domain Users” group is automatically added to its local “Users” group, and the “Domain Admins” group is automatically added to the local “Administrators” group, and accordingly, assigning any folder rights to the group local users, you automatically assign rights to all domain users.

Don’t be discouraged if everything described above is not immediately clear. Examples and independent work will fix the situation quickly!

Let's get down to specifics.

I will show all examples by example Windows windows XP. In Windows 7 and higher, the essence remained identical, only there were slightly more windows.

So, to assign or change rights to a file or pack, you need to right-click on required file or folder select menu item "Properties"

A window with a bookmark should open. "Safety"

If there is no such bookmark, then do the following. Launch Explorer, then open the menu "Service"—"Folder properties..."

In the window that opens, go to the “View” tab and uncheck the option "Use simple general access to files (recommended)"

That's it, now all the properties of the NTFS file system are available to you.

Returning to the bookmark "Safety".

In the window that opens, a lot of information is available to us. There is a list at the top "Groups and users:", which lists all users and groups that have access rights to this folder (arrow 1). The lower list shows permissions for the selected user/group (arrow 2). In this case it is the user SYSTEM. IN this list permissions, basic permissions are visible. Please note that in the column "Allow" checkmarks are faded in color and cannot be edited. This indicates that these rights are inherited from the parent folder. Once again, in this case, all rights of the SYSTEM user to the folder "Working" are completely inherited from the parent folder, and the SYSTEM user has all rights ( "Full access")

Highlighting in the list the desired group or user, we can look at the basic rights for that group or user. By selecting the user "Guest user ( [email protected])» you can see that he has all rights explicit

And here is the group "Users (KAV-VM1\Users" has combined rights, some of them are inherited from the parent folder (gray squares opposite "Read and Execute", "List the contents of the folder", "Reading"), and part of it is established explicitly - this is the right "Change" And "Record"

!!!Attention. Pay attention to the names of users and groups. Group or user affiliation is indicated in brackets. Groups and users can be local, i.e. created directly on this computer, or can be domain. In this case the group "Administrators" local, since the entry in brackets indicates the name of the computer KAV-VM1, and after the slash there is the name of the group itself. On the contrary, the user "Guest user" is a user of the btw.by domain, this is indicated by the full name record [email protected]

Often, when viewing or changing rights, you can limit yourself to the window with basic rights, but sometimes this is not enough. You can then open a window where you can change specific permissions, change the owner, or view current permissions. How to do this? Click on the button "Additionally". This window opens

In this window in the table "Permission Elements" All users who have rights to this folder are listed. In the same way as for basic permissions, we highlight the desired user or group and click the button "Change". A window opens showing any special permissions for the selected user or group

Similar to basic permissions, special permissions inherited from a parent folder will appear faded gray and will not be editable.

As you may have already noticed, there are several lines in the special permissions window for some users or groups.

This happens because one user or group can have different types of rights: explicit and inherited, allowing or denying, differing in the type of inheritance. In this case, read rights for the Users group are inherited from the parent folder, and edit rights are added explicitly.

Examples of assigning rights.

!!! All examples will progress with increasing complexity. Read and understand them in the same order as they appear in the text. I will omit similar actions in subsequent examples to reduce the volume of text. 🙂

Example 1: Granting read-only access to a folder to a specific local security group.

First, let's create a local group, which will include the entire list of users we need. It is possible without a group, but then for each user you will need to configure rights separately, and every time you need to give rights to a new person, you will need to do all the operations again. And if you grant rights to a local group, then setting up a new person will require only one action - including this person in the local group. How to create a local security group can be found in the article “Configuring local security groups”.

So. We have created a local security group called "Colleagues for Reading"

to which we added all the necessary users.

Now I’m setting up access rights to the folder. In this example, I will give access rights to the created group "For colleagues to read" to folder "Photo".

Right-click on the folder "PHOTO" and select a menu item "Properties", go to bookmark "Safety".

In the opened bookmark "Safety" current folder permissions are displayed "PHOTO". By selecting groups and users in the list, you can see that the rights of this folder are inherited from the parent folder (gray checkmarks in the column "Allow"). In this situation, I don't want anyone other than the newly created group to have any access to the folder "PHOTO".

Therefore, I should remove inheritance of rights and delete unnecessary users and groups from the list. I press the button "Additionally". In the window that opens,

I uncheck the box “Inherit permissions applicable to child objects from the parent object, adding them to those explicitly specified in this window.” . This will open a window in which I can choose what to do with the current inherited rights.

In most cases I recommend clicking the button here "Copy", because if you choose "Delete", then the list of rights becomes empty, and you can actually take away the rights from yourself. Yes, don't be surprised, it's very easy to do. And if you are not an administrator on your computer, or not a group user "Archive Operators", then it will be impossible for you to restore your rights. The situation is similar to a door with an automatic latch that you close while leaving the keys inside. So it's better to always press the button "Copy", and then delete what is unnecessary.

After I clicked "Copy", I return to the previous window again, only this time with the checkbox unchecked.

I press "OK" and return to the basic rights window. All rights have become available for editing. I need to leave permissions for the local group "Administrators" and user SYSTEM, and delete the rest. I select unnecessary users and groups one by one and click the button "Delete".

As a result, I get this picture.

Now all I have to do is add the group "For colleagues to read" and assign read permissions to this group.

I press the button "Add", and in the standard selection window I select the local group "For colleagues to read". How to work with the selection window is described in detail in the article.

As a result of all the actions, I added the “Colleagues for reading” group to the list of basic rights, and the rights for this group were automatically set "Read and Execute", "List the contents of the folder", "Reading".

All you have to do is press the button "OK" and rights are assigned. Now any user who belongs to the local security group "Reading for colleagues" will be able to read the entire contents of the folder "PHOTO".

Example 2: Giving users personal access to their subfolders in a folder.

This situation is also common in practice. For example, you have a folder for new scanned documents. In this folder, each user has his own separate subfolder. After scanning, the document is taken by the user from its subfolder. The task is to assign rights so that each user sees the contents of only his own subfolder and cannot access a colleague’s subfolder.

For this example, I will rephrase the task a little. Let's assume we have shared folder "PHOTO", in which there is a subfolder for each user. It is necessary to configure rights so that the user has all rights in his subfolder, and the subfolders of other users are inaccessible to him.

For this setup, I completely repeat all the steps from the first example. As a result of repetition, I get rights for the entire group "For colleagues to read" to read to all subfolders. But my task is to make only “my” subfolder visible to the user. Therefore, in the basic rights window I click the button "Additionally"

and go to the special rights window, in which I select the group "For colleagues to read" and press the button "Change"

In the window that opens, I change the inheritance rules, instead of the value in the field "Apply:" I choose the value "Only for this folder".

This is the most key point of this example. Meaning "Only for this folder" causes read permissions for the group "For colleagues to read" apply only to the root of the folder "PHOTO", but not to subfolders. Thus, each user will be able to get to his own folder, but will not be able to look into the neighboring one; he does not have the right to view subfolders. If you do not give this right to the group at all, then users will not be able to get into their subfolders at all. The file system will not allow them even into the folder "PHOTO".

As a result, users will be able to access the folder "PHOTO" but they won’t be able to go further into the subfolders!

In the special rights window, click "OK" and go to the previous window, now in the column "Apply to" opposite the group "For colleagues to read" worth the value "Only for this folder".

Click in all windows "OK" and we go out.

All. Now all that remains is to configure personal rights for each subfolder. This will have to be done for each subfolder; the rights are personal for each user.

You have already done all the necessary actions in the first example, let’s repeat what we have covered :)

On a subfolder "User1" I right-click the mouse and select the menu item "Properties", go to bookmark "Safety". I press the button "Add"

and in the standard selection window I select a domain user with the name "User1".

All that remains is to check the box for the permission right "Change". In this case, the checkbox for the allowing right "Record" will install automatically.

Click "OK". Let's go out. It remains to repeat similar steps for all subfolders.

Example 3. Providing a user with personal write access to his subfolder, while simultaneously prohibiting modification or deletion.

I understand that it sounds difficult, but I will try to explain. I call this type of access a latch. In everyday life we have a similar situation with ordinary by mailbox, into which we throw paper letters. Those. You can throw a letter into a box, but you can’t take it out of the box. In computer science, this can be useful in a situation where someone writes a report to you in a folder. Those. the file is written by the user, but then this user can no longer do anything with this file. This way, you can be sure that the creator will no longer be able to change or delete the submitted report.

As in the previous example, we repeat all the steps, except that we do not immediately give the user full rights to his folder; initially, in basic permissions we only give read access, and press the button "Additionally"

In the window that opens, select "User1" and press the button "Change"

In the window that opens we see standard read permissions

In order to give the user the right to create files, set the permission to the right “Creating Files/Writing Data”, and on the right "Deleting subfolders and files" And "Delete" we put a ban. We leave inheritance as standard "For this folder, its subfolders and files".

After pressing the button "OK" and returning to the previous window, you can see significant changes. Instead of one entry for "User1" two appeared.

This is because two types of rights are established, one prohibiting, they are first in the list, the other is permissive, they are second in the list. Since special rights are non-standard, in the column "Permission" worth the value "Special". When the button is pressed "OK" A window appears to which Windows warns that there are prohibiting rights and that they have higher priority. Translated, this means the same situation with a self-closing door, the keys to which are located inside. I described a similar situation in the second example.

All. Rights have been set. Now "User1" will be able to write any file to its folder, open it, but will not be able to change or delete it.

But what about the complete analogy with a real mailbox?

To prevent the user from opening or copying the recorded file, you need to do the following. Again we open allowing special permissions for "User1", and in the field "Apply:" change the value to "Only for this folder"

In this case, the user does not have the right to read or copy the file.

All. Now the analogy with a physical mailbox is almost complete. He will only be able to see the names of the files, their size, attributes, but he will not be able to see the file itself.

View current rights.

I want to say right away that the ability to view the current rights for a folder or file is a complete fiction. In my opinion, such tools should provide guaranteed information. This is not the case here. Microsoft itself admits that this tool does not take into account many factors that influence the resulting rights, such as entry conditions. Therefore, using such a tool is only deceiving yourself regarding real rights.

The case described at the very beginning of the article, with the ban on deleting a file from a folder, in this case is very eloquent. If you simulate a similar situation and look at the rights of a file that is protected from deletion, you will see that the file’s rights to delete are prohibited. However, deleting this file is not difficult. Why Microsoft did this, I don't know.

If you still decide to look at the current rights, then to do this you need to click the button in the basic rights window "Additionally", and in the special rights window go to the tab "Valid Permits".

Then you need to press the button "Choose" and in the standard selection window select the desired user or group.

Once selected, you can see “approximate” valid permissions.

In conclusion, I want to say that the topic of NTFS file system rights is very extensive; the above examples are only a very small part of what can be done. Therefore, if you have questions, ask them in the comments to this article. I'll try to answer them.

Information taken from the thirteenth chapter of the book "Windows 2000. Administrator's Guide." By William R. Stanek.

On volumes with file system NTFS You can set security permissions for files and folders. These permissions grant or deny access to files and folders. To view your current security permissions, do the following:

Understanding File and Folder Permissions

Table 13-3 shows the basic permissions that apply to files and folders.
The basic file permissions are Full Control, Modify, Read & Execute, Read, and Write.
The following basic permissions apply to folders: Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.

When setting permissions for files and folders, you should always keep the following in mind:

To run scripts, you only need to have Read permission. Execute File permission (special Execute File permission) is optional.

Read permission is required to access the shortcut and its associated object.

Permission to Write to a file (the Write Data special permission) without Delete permission to the file (the Delete special permission) still allows the user to delete the contents of the file.

If a user has the base Full Control permission on a folder, they can delete any files in that folder, regardless of the permissions on those files.

Table 13-3 - Basic permissions for files and folders in Windows 2000

Base Resolution	Meaning for folders	Meaning for files
Read	Allows browsing of folders and viewing a list of files and subfolders	Allows viewing and access to file contents
Write	Allows adding files and subfolders	Allows writing data to a file
	Allows browsing of folders and viewing a list of files and subfolders; inherited by files and folders	Allows viewing and accessing the contents of a file, as well as running the executable file
	Allows browsing of folders and viewing a list of files and subfolders; only inherited by folders	Not applicable
Modify	Allows viewing of content and creation of files and subfolders; allows folder deletion	Allows reading and writing data to a file; allows file deletion
Full Control	Allows viewing of content, as well as the creation, modification and deletion of files and subfolders	Allows reading and writing data, as well as modifying and deleting a file

Basic permissions are created by grouping specific permissions into logical groups, which are shown in Table 13-4 (for files) and 13-5 (for folders). Special permissions can be assigned individually using additional options settings. When learning about specific file permissions, consider the following:

If access rights are not explicitly defined for a group or user, then access to the file is denied to them.

When calculating a user's effective permissions, all permissions assigned to the user, as well as the groups of which the user is a member, are taken into account. For example, if the user GeorgeJ has Read access, and at the same time is a member of the Techies group, which has Modify access, then as a result, the user GeorgeJ has Modify access. If the Techies group is included in the Administrators group with Full Control, then GeorgeJ will have full control of the file.

Table 13-4 – Special file permissions

Special permissions	Full Control	Modify	Read & Execute	Read	Write
Execute File	X	X	X
Read Data	X	X	X	X
	X	X	X	X
	X	X	X	X
Write Data	X	X			X
Append Data	X	X			X
	X	X			X
	X	X			X
Delete	X	X
	X	X	X	X	X
	X
	X

Table 13-5 shows the specific permissions used to create basic folder permissions. When learning about special folder permissions, consider the following:

When you set permissions for a parent folder, you can match the permissions elements of files and subfolders to the permissions of the current parent folder. To do this, you need to check the Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions checkbox.

The files that are created inherit some permissions from the parent object. These permissions are shown as default file permissions.

Table 13-5 - Special permissions for folders

Special permissions	Full Control	Modify	Read & Execute	List Folder Contents	Read	Write
Traverse Folder	X	X	X	X
List Folder Contents	X	X	X	X	X
Read Attributes	X	X	X	X	X
Read Extended Attributes	X	X	X	X	X
Create Files	X	X				X
Create Folders	X	X				X
Write Attributes	X	X				X
Write Extended Attributes	X	X				X
Delete Subfolders and Files	X
Delete	X	X
Read Permissions	X	X	X	X	X	X
Change Permissions	X
Take Ownership	X

Setting permissions for files and folders

To set permissions for files and folders, do the following:

1.	Select the file or folder and right-click.
2.	IN context menu select team Properties and in the dialog go to the tab Security, shown in Figure 13-12. Figure 13-12 – Setting basic permissions for files or folders on the Security tab
3.	On the list Name lists the users or groups that have access to the file or folder. To change permissions for these users or groups, do the following: Select the user or group for which you want to change permissions. Use a list Permissions: to set or revoke permissions. Advice. Inherited permissions checkboxes are grayed out. To override an inherited permission, change it to its opposite.
4.	To set permissions for users, contacts, computers, or groups that are not listed Name, press the button Add. A dialog box will appear as shown in Figure 13-13. Figure 13-13 – Select the users, computers and groups for which you want to allow or deny access.
5.	Use the dialog box Select Users, Computers, Or Groups to select the users, computers, or groups for which you want to set access permissions. This window contains fields described below: Look In This drop-down list allows you to view available accounts from other domains. Including a list of the current domain, trusted domains and other available resources. To see all accounts in a folder, select Entire Directory. Name This column shows existing accounts for the selected domain or resource. Add This button adds the highlighted names to the list of selected names. Check Names This button allows you to check user, computer, or group names in the list of selected names. This can be useful when names are entered manually and you want to ensure they are correct.
6.	On the list Name highlight the user, contact, computer, or group to configure, then select or clear the check boxes in the Permissions: to determine access rights. Repeat these same steps for other users, computers, or groups.
7.	When finished, press the button OK.

System resource audit

The use of auditing is best way to track events in Windows systems 2000. Auditing can be used to collect information related to the use of a resource. Examples of auditable events include file access, system logon, and system configuration changes. After enabling auditing of an object, entries are written to the system security log whenever an attempt is made to access this object. The security log can be viewed from the snap-in Event Viewer.

Note. To change most audit settings, you must be logged in as an Administrator or a member of the Administrators group, or have the Manage Auditing And Security Log in group policy.

Setting Audit Policies

Application of audit policies significantly improves the security and integrity of systems. Almost every computer system on a network should be configured with security logging. Setting up audit policies is available in the snap-in Group Policy. Using this component, you can set audit policies for an entire site, domain, or department. Policies can also be set for personal workstations or servers.

After selecting the required Group Policy container, you can configure audit policies as follows:

1.	As shown in Figure 13-14, you can find a node by moving down the console tree: Computer Configuration, Windows Configuration(Windows Settings), Security Settings, Local Policies, Audit Policy. Figure 13-14 – Setting up an audit policy using the Audit Policy node in Group Policy(Group Policy).
2.	There are the following audit categories: Audit Account Logon Events tracks events related to user login and logout. Audit Account Management monitors all events related to account management, snap-in tools. Audit entries appear when user, computer, or group accounts are created, modified, or deleted. Monitors directory access events Active Directory. Audit records are created each time users or computers access the directory. Monitors login/logout events and deleted network connections. Monitors system resource usage by files, directories, shares, and Active Directory objects. Audit Policy Change Monitors changes to user rights assignment policies, audit policies, or trust policies. Tracks every attempt by a user to exercise a right or privilege granted to him or her. For example, the rights to archive files and directories. Note. Policy Audit Privilege Use does not track events related to system access, such as the use of the right to interactively log on to the system or to access a computer from the network. These events are monitored using policy Audit Logon Events. Audit Process Tracking tracks system processes and the resources they use. Audit System Events Monitors events when the computer is turned on, rebooted, or shut down, as well as events that affect system security or are reflected in the security log.
3.	To configure an audit policy, double-click on the desired policy, or select the command in the context menu of the selected policy Properties. After this, a dialog box will open Local Security Policy Setting (Properties).
4.	Check the box Define These Policy Settings. Then check or uncheck the boxes Success And Failure. Success auditing means creating an audit record for each successful event (for example, a successful login attempt). Failure auditing means creating an audit record for every failed event (such as a failed login attempt).
5.	When finished, press the button OK.

Audit of operations with files and folders

If policy is enabled Audit Object Access, you can use auditing at the level of individual folders and files. This will allow you to accurately track their usage. This feature is only available on volumes with file NTFS system.

To set up file and folder auditing, do the following:

1.	IN Explorer ( Windows Explorer) select the file or folder for which you want to set up auditing. In the context menu, select the command Properties.
2.	Go to the tab Security and then click the button Additionally (Advanced).
3.	In the dialog box, go to the tab Auditing, shown in Figure 13-15. Figure 13-15 – Setting up audit policies for separate files or folders on the Auditing tab.
4.	For audit settings to be inherited from a parent object, the Allow Inheritable Auditing Entries From Parent To Propagate To This Object checkbox must be selected.
5.	To allow child objects to inherit the audit settings of the current object, select the Reset audit elements for all child objects and enable migration of inherited audit elements (Reset Auditing Entries On All Child Objects And Enable Propagation Of Inheritable Auditing Entries).
6.	Use a list Remove.
7.	Add to display a dialog box OK, a dialog box will appear Audit element for Folder or file name , shown in Figure 13-16. Note. If you want to track the actions of all users, use a special group Everyone. In other cases, for auditing, select individual users or groups in any combinations. *Figure 13-16 – Dialog box Audit element for Folder or file name(Auditing Entry For New Folder), used to set auditing entries for a user, contact, computer, or group.*
8.	Apply Onto.
9.	Check the boxes Successful and/or Failed For necessary events audit. Success auditing means creating an audit record for a successful event (for example, a successful file read). Failure auditing means creating an audit record for a failed event (for example, a failed attempt to delete a file). Events for auditing are the same as the special permissions (Tables 13-4 and 13-5) with the exception of offline file and folder synchronization, which cannot be audited.
10.	When finished, press the button OK. Repeat these steps to configure auditing of other users, groups, or computers.

Auditing Active Directory Directory Objects

If policy is enabled Audit Directory Service Access, you can use Active Directory object-level auditing. This will allow you to accurately track their usage.

To configure object auditing, do the following:

1.	In the snap Active Directory Users And Computers select the object container.
2.	Right-click on the object to be audited and select the command from the context menu Properties.
3.	Go to the tab Security and press the button Additionally (Advanced).
4.	Go to the tab Auditing dialog box Access Control Settings. For audit settings to be inherited from a parent object, the Allow Inheritable Auditing Entries From Parent To Propagate To This Object checkbox must be selected.
5.	Use a list Auditing Entries to select users, computers, or groups whose activities will be monitored. To remove an account from this list, select it and click the button Remove.
6.	To add account, press the button Add. A dialog box will appear Select Users, Contacts, Computers, Or Groups, in which select the account to add. When you press OK, a dialog box will appear *Audit element for Folder or file name(Auditing Entry For New Folder)*.
7.	If you need to specify objects to apply audit settings, use the drop-down list Apply Onto.
8.	Check the boxes Successful and/or Failed for required audit events. Success auditing means creating an audit record for each successful event (for example, a successful file read). Failure auditing means creating an audit record for each failure event (for example, a failed attempt to delete a file).
9.	When finished, press the button OK. Repeat these steps to set up auditing of other users, contacts, groups, or computers.