• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 667
  • Last Modified:

Who deleted my files?

I am a Windows NT 4.0 user, and recently I have noticed a few files missing from my computer. I am sure that this was intentional but I am positive I didn't do it. I have several accounts setup, and I was wondering if there is any way to see who deleted some of my files. Is this possible without external software?
0
Houdinized
Asked:
Houdinized
1 Solution
 
NenadicCommented:
Unless you already had auditing specified, I don't think there is really a way to see who did this.
0
 
HoudinizedAuthor Commented:
How do you use auditing?
0
 
j2Commented:
in usermanager, in the "middle menu" (im not using the english version). But as Nenadic pointed out, it has to be enabled BEFORE the event, you can not see what happened "in the past".
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
NenadicCommented:
The menu is POLICIES, then go under AUDITING. Then, go to Windows Explorer and right-click on files or folders you want audited.

Bear in mind that auditing on files and folders can only be done on NTFS partitions. So, ideally you should prohibit users from deleting files to start off with, and then specify auditing to see who attempted to delete a file.
0
 
ravenoneCommented:
Auditing is a two step process.
First, you need to enable it in User Manager.  There, under Policy, select Audit.  Audit File and Object Access, both success and failure.
Next, go to the folder where the files are stored. In Explorer, click on security and click auditing.

It's advisable to select only what you want to audit, in your case delete (success and failure).  If you select all of the options, your security log will fill very quickly.  Also, you can add users here- it's best to limit the number of users, since too many will fill the log quickly.  If you log everything, it will slow down your system as well.

You sould also change the rights to eventvwr.exe, so only you can run it and so others can't go in and clear the logs.

-Tabo, MCSE
0
 
NenadicCommented:
Ravenone,
Please don't post a copy of my comment as your answer.
0
 
HoudinizedAuthor Commented:
thank you guys for the help! appreciate it!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now