To find who last opened or modified a file, you have to enable auditing on that file. To enable auditing, you have to enable auditing at the server level and then enable auditing on the particular object (in this case, a file) in which you are interested.
From the Administrative Tools, open the Local Security Policy snap-in.
In the left pane, expand Local Policy and click on Audit Policy.
In the right pane, double-click Audit object access.
Check the boxes beside Success or Failure (as needed).
Now you need to enable auditing on the target file(s) or folder(s):
Open Windows Explorer.
In the left pane, browse to the parent folder of the file or folder on which you want to enable auditing. Click on the parent folder. This displays the list of sub-folders and files in the right pane.
In the right pane, right-click on the target file or folder and select Properties.
Select the Security tab.
Click the Advanced button.
Select the Auditing tab.
Click the Add button.
Enter the user or group you want to audit access for (use the
Everyoneprincipal to audit all access) and click OK.
In the Auditing Entry dialog box, select the types of access you want to audit. You have to select Success events separately from Failure events. Click OK when you are done.
> auditpol \\
Microsoft doesn't provide a tool to configure the audit
settings of files. However, you can do this with the setacl.exe tool. It is available for download from SourceForge
at http://setacl.sourceforge.net/. Here is an
example of setting an audit entry on the file
d:\myimportantfile.txt for all failed access
attempts by the
> setacl -on "d:\myimportantfile.txt" -ot file -actn ace -ace "n:everyone;p:full;m: aud_fail;w:sacl"
Be careful when enabling auditing on a frequently accessed set of files or folders. The number of audit messages in the Security event log can grow quickly with just a few accesses of the file. Monitor the Security event log closely after initially enabling auditing just to make sure you don't flood it.