The Auditing plugin will, when possible, extract the user who created or deleted a file from local or remote computers.
The success of this plugin relies on proper security configuration of the computer and folder as well as administrator rights for the user running ShareWatcher.
A Few Notes First on the Audit Plugin
  • ShareWatcher does not require the steps below for any of the other features to work. This is only for user level auditing where there is a need to know the user who added or deleted a file/folder.
  • Auditing requires reading the Windows Event Log and this can slow ShareWatcher's performance for remote computers on busy networks and computers. Depending on file event rate this may or may not be an issue.
  • For Auditing to be allowed, ShareWatcher must be run on a computer with administrator rights for the local computer (if audited) and any remote computers selected. Typically a Domain Administrator account is required.
  • ShareWatcher will try its best to extract the User Information from the Windows Event Log but cannot always guarantee success.
Where Used
The Audit Plugin is used by the New(live) and Deleted plugins.
When adding or editing a folder, an Audit choice is offered. "Not Audited" is the default option. Licensed users will have the option of "Local Computer" or one of their pre-configured Remote Computers to choose from.
Security Configuration
Computer Configuration
Open Local Security Policy either from Control Panel...
...or open a command prompt and type, "secpol.msc".
Edit the Audit Policy as shown below.
Your computer is now ready to audit file events.
NOTE: You may appear to have successfully configured your computer as shown above but reopen the Audit Policy to be sure it has saved. Reasons for not saving or working could be related to you not having Domain Administrator rights, your Security Policy being controlled by another Group Policy or it could be related to the scenario discussed on this Microsoft Support Page. It is important that this process above be completed successfully for the plugin to work. Following the Folder Configuration below alone will not provide user auditing.
Folder Configuration
The following steps must be completed for any folder selected for Audit:
...and click OK on each dialog until you're back at the folder view. 
Administrator Rights
The user needs to be an administrator on the local computer or in the case of remote computer auditing, a domain administrator. This high level security setting is a requirement for remote computer access of the Windows Event Log.
If you are experiencing long delays between file events and a logged entry then it may be that the computer being monitored with Auditing turned on is heavily utilised. Click the Info button (New Files / Deleted Files) for insight into this possibility. If this is adversely affecting the performance then please contact for advice on how to customise the Event Log Search for your environment.
Website CodeLine | Email