Recovering data and information on Win 2000 server.

Posted on 2004-08-27
Last Modified: 2010-04-14
I have a Windows 2000 server PDC network that one of my users quit and erased all of their files loaded on the server.  What kind of accounting information can I find to be able to tell when the files were deleted and by what user and what time?  The former employee did a lot of damage and we need to have this information.  Thanks.
Question by:johnpatbullock
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 11914104
I am not fimiliar with Win 2000, but I suspect there is a folder with log files somewhere.
LVL 85

Expert Comment

ID: 11914556
If you haven't enabled auditing on the machine and the folder in question prior to the event, there's pretty much nothing you can do to find out who deleted what when. Windows by itself doesn't log deletion or creation of files unless told so.
The only option to find out which files were deleted is restoring a backup of the folder in question to another location, then compare the contents of the of the deleted folder with the restored folder.
LVL 96

Expert Comment

by:Lee W, MVP
ID: 11918776
I concur with oBdA - unless you previously enabled auditing for file access, there list no way I've every heard of to get your data back.  You can, of course, yank the drive(s) from the system and send them to a data recovery service, like OnTrack - but that would be my only suggestion - and there's no guarentee they will be able to recover the data or give any information on who deleted the files and/or when.
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.


Author Comment

ID: 11923702
I've recovered my data, my problem is I want to be able to tell when the files were deleted and by whom.  I checked an auditing was not turned on.  Is their anyother way to tell?  Are their any third party applications that I can that will tell me.  
LVL 85

Accepted Solution

oBdA earned 250 total points
ID: 11925168
No way, sorry. As I said, if you have a daily backup, you can roughly determine the time of deletion by checking when the files started missing in the backups. Otherwise, without auditing enabled, Windows does not keep a record of who deleted what, where, and when. It's just an entry in the file table that gets removed.

Assisted Solution

kelo501 earned 250 total points
ID: 11998379
the only way I can think of is to look at your back ups and note when the files were no longer being backed up.  That will put you at 24 hours...  Then compare the users with, full control/modify permisions on the directory/files in question.  By defult logons are logged on the DC.

Now you can refrence:
deletion date
users with permisions
users logged on durring relavent time frame.

That in no way tells you who did it but would confirm if the person suspected was able to do it.  It will also help you correct your security policy to prevent it from happening again.


Expert Comment

ID: 12022496

Did that help you sort it out at all?

If you need anyhelp setting either the Defult domain or local security policys for logging let me know.

in addtion there is a product call spectorCNE by spector software that provides for so really great user watching.


Expert Comment

ID: 12396897
thanks hewittg

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Make the most of your online learning experience.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question