![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 32%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
System Center Orchestrator
A family of System Center products that provide an automation platform for orchestrating and integrating both Microsoft and non-Microsoft IT tools.
229 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
Hi,
Can't see this in Event viewer as well.
Please try to Enable the System Event Audit Log
To capture the username or system making changes, you might need to enhance your runbook to include additional activities that can fetch this information. Unfortunately, the default File Monitor activity does not capture user details.
You can consider using PowerShell scripts within your runbook to query the file system for user information.
Here’s a basic example of how you might do this:
$path = "C:\path\to\your\file"
$events = Get-WinEvent -FilterHashtable @{LogName='Security';ID=4663} | Where-Object { $_.Properties[6].Value -eq $path }
foreach ($event in $events) {
$user = $event.Properties[5].Value
Write-Output "User: $user"
}
For your second issue with running the runbook using a Network share path or mapped drive root, it appears that the File Monitor activity in Orchestrator is designed to work with local paths. The example runbook for monitoring a folder specifies using local paths in the configuration. This might be why you are encountering syntax issues when trying to use network shares.