My normal answer to this is that we need to enable auditing and set up object access audit policies.
With that sentence I usually lose the person on the word auditing.
First we will downloadShare Monitor from Softpedia.After downloading the system go ahead and run it.
If you do not have any Windows shared files on your box than nothing will happen.
If you do have shares on your rig, Share Monitor will start its magic.
I downloaded and ran Share Monitor on my office desktop machine.
I then clicked thestartbutton on the system, not changing anything and I still saw nothing!
I then saw my log start to grow.
Now how can we use this information?
How do I know that?
Well that is the only entry withWrite + Readaccess to the file.
All the other entries list onlyreadaccess.
This means that those users COULD NOT have modified my file.
My culprit is the Administrator!
