Follow below given steps to enable auditing and track related events in Event Viewer:
Step 1: Open Local Security Policy
Go to Administrative Tools and open Local security policy.
Step 2: Enable Audit Object Access policy.
In Local Security Policy, click Local Policies, and click Audit Policy. List of all Local Security Polcies is displayed in the right side.
In the policy list, double click Audit object access to open Properties window.
Select Success and Failure checkboxes. Click Apply and OK.
Step 3: Track permission changes
Next, locate the folders whose permission changes have to be tracked. Right-click on it and select Properties from the context menu. In Properties window, switch to Security Tab.
Click Advanced to access the advanced settings
Step 4: Add a new auditing entry
In Advanced Security Settings, go to Auditing tab.
Click Add to add a new auditing entry. Auditing entry window appears on the screen.
Enter the following information in this dialog box:
Principal: Click on Select a Principal link to select users for auditing. You can also select Everyone, for that type Everyone in the text box and click Check
Click OK. It takes you back to Auditing Entry window.
Type: In Type drop-down menu, select Success, Fail or All as per requirement. It is recommended to audit All changes.
Applies To: Select This folder, subfolders and files to apply this auditing to all files and folders in the selected folder.
Basic Permissions: Select the permissions that you want to audit.
Add a condition: Click Add a condition to narrow the scope of auditing, this ensures that you have limited events logs to search. You can add multiple conditions if you want.
Click OK to close the window.
Click Apply and OK to close the Advanced Security Settings… window. Click OK to close the folder’s Properties.
Step 5: View changes in Event Viewer
After you have enabled the auditing, the events will be logged in the system whenever a change in permissions of that folder is detected. To view the logs, go to Control panel → Administrative Tools → Event viewer. Now open the event logs and go to Windows Logs, and select Security. All the events in this category are displayed in the middle pane.
Step 6: Search for the Event ID 4670
On the right side, select the Filter current log… option. From this option, you can easily add filters to find specific event logs from all the logs on the file server. Search for the Event ID 4670 that corresponds to permission changes on an object.
After you have found the events, double-click any event to view its properties in the Event Properties window. Here, you find all the details related to the event.