File Server Access Audit Report with PowerShell

This PowerShell script allows to audit several file servers and send a report in CSV and HTML by mail. HTML report can filter and sorting rows by server, time, user, file or operation (read, delete or write). CSV file can be import on Excel to generate a File Audit Report.

 
 
 
 
 
5 Star
(3)
1,867 times
Add to favorites
9/24/2019
E-mail Twitter del.icio.us Digg Facebook
  • Does not audit folder deletions
    1 Posts | Last post February 04, 2020
    • Hello, it works perfectly but the only problem is that it does not audit folder deleting. Is it possible to add that? Other than that amazing and useful script! Thanks.
  • Thanks for scripts
    1 Posts | Last post November 13, 2019
    • Brilliant script
  • Thanks for the PS Script
    1 Posts | Last post October 27, 2019
    • I just have a question.
      The access mask seems to be different for the DELETE action in Server 2012 R2
      How can i add 2 event ids in the filter?
  • Couple of things..
    2 Posts | Last post August 30, 2019
    • $htmlReportPath and $csvReportPath are declared in the user vars at the top of the script, and again on lines 498 - 499 so they override the user vars, I've commented the second instances out.  Also when I run this script manually or by triggering the scheduled task I get the expected results, but when the script runs by scheduled task on its own I get:
      
      Getting events with ID 4663 of some-server-name since 08/29/2019 06:00:02. This may take several minutes depending of log size...
      PS>TerminatingError(Get-Item): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Cannot find path 'C:\Device\HarddiskVolume2\Windows\System32\lsass.exe' because it does not exist."
      
    • Scratch my second comment, it seems that the 6am schedule is playing a a part - if I add a one off schedule and lock the server it runs as expected, its just the daily 6am one that an issue...  Will adjust the time in case something other process is causing an issue.
      
      The double var declaration is still a problem though (lines 501-501 not 498-499, I needed my morning coffee...)
      
      Thanks for this script though :)
  • Getting Error after running script
    2 Posts | Last post August 30, 2019
    • please help me to fix this issue
      
      Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform 
      an unauthorized operation..
      At C:\Script\FileServerAuditReport.ps1:163 char:13
      +     $evts = Get-WinEvent -computer $svr -FilterHashtable @{LogName="s ...
      +             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], Exception
          + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
       
      
    • Scratch my second comment, it seems that the 6am schedule is playing a a part - if I add a one off schedule and lock the server it runs as expected, its just the daily 6am one that an issue...  Will adjust the time in case something other process is causing an issue.
      
      The double var declaration is still a problem though (lines 501-501 not 498-499, I needed my morning coffee...)
      
      Thanks for this script though :)
  • Thank you
    1 Posts | Last post June 04, 2019
    • This is awesome! Thank you very much for this.
  • TerminatingError
    2 Posts | Last post March 26, 2019
    • Hi i am getting below error
      
      PS>TerminatingError(Get-WinEvent): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation.."
      >> TerminatingError(Get-WinEvent): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation.."
      >> TerminatingError(Get-WinEvent): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation.."
      The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation..
      Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform
      an unauthorized operation..
      At xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:163 char:13
      +     $evts = Get-WinEvent -computer $svr -FilterHashtable @{LogName="s ...
      +             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], Exception
          + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
      
      PS>$global:?
      False
    • Hi! This error means that you can not read Security log. Try to run PowerShell as administrator and then launch the script.
  • TerminatingError
    1 Posts | Last post March 19, 2019
    • PS>TerminatingError(Get-WinEvent): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation.."
      >> TerminatingError(Get-WinEvent): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation.."
      >> TerminatingError(Get-WinEvent): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation.."
      The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation..
      Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform
      an unauthorized operation..
      At xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      +     $evts = Get-WinEvent -computer $svr -FilterHashtable @{LogName="s ...
      +             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], Exception
          + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
      
      PS>$global:?
      False
  • what this variaple do?
    2 Posts | Last post February 28, 2019
    • # For example: $filesToAudit = "MontlyReport.xlsx","Internal Database.mdb" -> Only this two files will be included in report. 
      $filesToAudit = "" 
      
      is this the report name or you mean the path of a specific folder you want to audit?
      
      Thanks
    • So sorry, I just was confused about the comments. Thanks for your script