Link to home
Start Free TrialLog in
Avatar of AutumnIglesias
AutumnIglesias

asked on

Auditing the deletion of all files from a folder and subfolders

Is there any way to audit the deletion of any and all files from a folder and its subfolders?  We have a problem with certain company specific files turning up missing on some of our computers, and we think someone is purposely deleting them.  I want to be able to look at the event viewer and see an event for each file that was deleted.  If someone were to use a batch file running as a scheduled task, or something like that, is there a way I can track that?  Thanks.
Avatar of mdiglio
mdiglio
Flag of United States of America image

Hello,
Yes you can do this by:

open AD users and computer >> right click your domain >>
select properties >> click the group policy tab >> highlight the deafult domain policy >> click edit
expand computer configuration >> expand windows settings >> expand security settings >> expand local policies
>> click on Audit Policy >> enable suucess and/or failure of "Audit Object Access"

Now when that is done you still have to go to the folder(s) in question >
Right click >> properties >> security tab >> advanced >> auditing tab >> click add >>
then select users or groups you would like to monitor.

More on this information can be found at:

Using Audit Policies to Secure Your Windows 2000 Network
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnexnt00/html/ewn0054.asp

Hope this helps!
Avatar of AutumnIglesias
AutumnIglesias

ASKER

I enabled the success and failure options of audit object access in group policy, then rebooted my computer.  I set the auditing properties for a folder on my computer to audit delete and delete subfolders and files for this folder.  I made sure it's propagating to the files in the folder, then I deleted one of the files, but it didn't audit it in my security log.  Is there some time interval that I have to wait for group policy to refresh?
Hello,
You can do a secedit /refreshpolicy machine_policy  from the command line but if this domain controller
is local this should have happened by now

Did you add yourself or the user account that you were using to the auditing tab?
Did you configure the events that you want to audit after you selected the user/groups ?
I added the everyone group, and selected the events after the group.
make sure the policy is being applied to whatever machine you are trying to audit.
by looking at the local group policy
start >> run >> gpedit.msc
navigate to the Audit Policy folder and look to see if it is being applied.

this might tell you the local setting and the effective setting are different.



ASKER CERTIFIED SOLUTION
Avatar of mdiglio
mdiglio
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I agree with what MDIGLIO answered about auditing and gpedit.

About secedit you also should enforce usersettings:
Using Secedit.exe to Force Group Policy (GPO) to Be Applied Again:
http://support.microsoft.com/default.aspx?scid=kb;en-us;227448

Refresh policy from windows 2000 server:
1. Start / Run
2. CMD / ENTER
3. SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
4. SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
5. EXIT

If you have trouble with policy, have a look at this urls:

Troubleshooting Group Policy in Windows 2000
http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot.asp

Local Group Policy Settings Do Not Take Effect
http://support.microsoft.com/default.aspx?scid=kb;en-us;220862

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open