I was approached a few days ago to develop a solution for monitoring access to a folder on a server (with auditing enabled). My first approach was to try and monitor the files last access time, but I found this to be somewhat unreliable. So my next method was to monitor the systems event logs. This proved much more reliable. If not a little too much at times.
Drop the code below in a .vbs file, execute and sit back and relax.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
strComputer = 'TODO: Enter the servers name here Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate, (Security)}!\" & _ strComputer & "rootcimv2") Set colMonitoredEvents = objWMIService.ExecNotificationQuery _ ("Select * from __instancecreationevent where " _ & "TargetInstance isa 'Win32_NTLogEvent' " _ & "and TargetInstance.EventCode = '560' " ) 'TODO: modify the event code to fire on what ever you require Do Set objLatestEvent = colMonitoredEvents.NextEvent strAlertToSend = objLatestEvent.TargetInstance.User _ & " has accessed a folder on a server" 'TODO: Modify the alert you would like to receive Wscript.Echo strAlertToSend Set objEmail = CreateObject("CDO.Message") objEmail.From = 'TODO: Specify a from address objEmail.To = 'TODO: Enter a To address objEmail.Subject = strAlertToSend objEmail.Textbody = strAlertToSend objEmail.Configuration.Fields.Item _ ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 objEmail.Configuration.Fields.Item _ ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = _ 'TODO: Specify your mail servers name here objEmail.Configuration.Fields.Item _ ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 objEmail.Configuration.Fields.Update objEmail.Send Loop |