<div>
Hi, have a look at this for deletes:<br />
<br />
<a href="http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=564" rel="ugc">http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=564</a><br />
<br />
You should look for 560's with coinciding 564's, A move will be the same as a delete.<br />
<br />
HTH
</div>


Hi, have a look at this for deletes:

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=564 [http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=564]

You should look for 560's with coinciding 564's, A move will be the same as a delete.

HTH

<div>
Thanks for the reply. Starting to make sense. However, the two entries that I have are both ID 560. have attached a txt file.<br />
<br />
Have changed some of the info like domain, user etc. Effectively &quot;D:\someDir&quot; stands for the dir that was moved.<br />
<br />
Cheers,<br />
<br />
Nellster<br />
<a href="https://filedb.experts-exchange.com/incoming/2009/08_w32/167187/ObjectAccess.txt" target="_blank" class="file-inline" title="Sample log entry (1 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>ObjectAccess.txt</a>
</div>


Thanks for the reply. Starting to make sense. However, the two entries that I have are both ID 560. have attached a txt file.

Have changed some of the info like domain, user etc. Effectively "D:\someDir" stands for the dir that was moved.

Cheers,

Nellster
ObjectAccess.txt [https://filedb.experts-exchange.com/incoming/2009/08_w32/167187/ObjectAccess.txt]

ObjectAccess.txt

<div>
<div class="content wysiwyg-content">
Hi all,<br />
<br />
We keep having folders mysteriously being moved from one directory to another or being deleted. I have set up auditing on these directories but am having difficulty translating the entries in the event viewer. I set the auditing up to track &quot;Delete Subfolders and files&quot; &amp;&nbsp;&quot;Delete&quot;.<br />
<br />
What parts of the log entry will inform me if a file/folder has been deleted or moved?<br />
<br />
Many thanks in advance!<br />
<br />
Nellster<br />
<br />

</div>
</div>


Hi all,

We keep having folders mysteriously being moved from one directory to another or being deleted. I have set up auditing on these directories but am having difficulty translating the entries in the event viewer. I set the auditing up to track "Delete Subfolders and files" & "Delete".

What parts of the log entry will inform me if a file/folder has been deleted or moved?

Many thanks in advance!

Nellster



Translate object access audit log

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).