Hello Manoj，

仅在您之前已启用对象访问审核时该文件已被修改。如果是，则它将出现在安全事件日志中。



要启用该审计，您必须通过策略在服务器本身上执行此操作。然后，您将在要审核的文件/文件夹上设置适当的SACL。

使用以下链接配置对象访问审核 

https ：//support.microsoft.com/en-gb/help/814595/how-to-audit-active-directory-objects-in-windows-server-200

Hi,

We had an instance somebody has added a line to the web.config file in our sharepoint server.

Please let us know how to find out who has modified the web.config file. Is there any mechanism to know?

Thanks.

Knowledge is power.

Hello Manoj,

Only if you already had Object Access Auditing enabled before the file was modified. If so, then it would be in the Security Event Log.

To enable that auditing, you would have to do it on the server itself, via policy. Then you would set the appropriate SACL on the file(s)/folder(s) you want to audit.

Use the following link to configure Object Access Auditing 

https://support.microsoft.com/en-gb/help/814595/how-to-audit-active-directory-objects-in-windows-server-200