Who deleted my files?

I am a Windows NT 4.0 user, and recently I have noticed a few files missing from my computer. I am sure that this was intentional but I am positive I didn't do it. I have several accounts setup, and I was wondering if there is any way to see who deleted some of my files. Is this possible without external software?
HoudinizedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NenadicCommented:
Unless you already had auditing specified, I don't think there is really a way to see who did this.
0
HoudinizedAuthor Commented:
How do you use auditing?
0
j2Commented:
in usermanager, in the "middle menu" (im not using the english version). But as Nenadic pointed out, it has to be enabled BEFORE the event, you can not see what happened "in the past".
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

NenadicCommented:
The menu is POLICIES, then go under AUDITING. Then, go to Windows Explorer and right-click on files or folders you want audited.

Bear in mind that auditing on files and folders can only be done on NTFS partitions. So, ideally you should prohibit users from deleting files to start off with, and then specify auditing to see who attempted to delete a file.
0
ravenoneCommented:
Auditing is a two step process.
First, you need to enable it in User Manager.  There, under Policy, select Audit.  Audit File and Object Access, both success and failure.
Next, go to the folder where the files are stored. In Explorer, click on security and click auditing.

It's advisable to select only what you want to audit, in your case delete (success and failure).  If you select all of the options, your security log will fill very quickly.  Also, you can add users here- it's best to limit the number of users, since too many will fill the log quickly.  If you log everything, it will slow down your system as well.

You sould also change the rights to eventvwr.exe, so only you can run it and so others can't go in and clear the logs.

-Tabo, MCSE
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NenadicCommented:
Ravenone,
Please don't post a copy of my comment as your answer.
0
HoudinizedAuthor Commented:
thank you guys for the help! appreciate it!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.