Hello,
there is a Windows Server 2008 R2 based system. I want to track, when a file gets last read (like jpeg was viewed or txt-File was opened in notepad) by a real user. Real user means not to be a service user, a backup run, shadow copy or an anti-virus check.
(Maybe real user means users below a certain OU in an active directory or members of a group, something like that)
Of cause, I've tried using last access date of a file but it doesn't help, since a backup run reads the file and the last access date is touched, too. I've got no chance to check the access source.
I know, that Windows provides an auditing mechanism (Advanced Security Audit Policy) that could help me. I didn't use it before. Is the mechanism able to only track real user's file accesses and disregarding access from unreal users?
However, I need to do more than auditing manually.
My major use case is: I want to automatically cleanup files that are older than n weeks, where older means last read access by a real user.
So, how can I solve my use case using windows tools like Advanced Security Auditing?
Is Windows Advanced Security Auditing mechanism able to export/report the audit information in a machine readable format like csv or xml? If yes, how do I have to do this? (Then I could use a wide range of tools for doing the automatic cleanup of the files)
Thank you & best regards
ITL