Go Premium for a chance to win a PS4. Enter to Win


Recovering data and information on Win 2000 server.

Posted on 2004-08-27
Medium Priority
Last Modified: 2010-04-14
I have a Windows 2000 server PDC network that one of my users quit and erased all of their files loaded on the server.  What kind of accounting information can I find to be able to tell when the files were deleted and by what user and what time?  The former employee did a lot of damage and we need to have this information.  Thanks.
Question by:johnpatbullock

Expert Comment

ID: 11914104
I am not fimiliar with Win 2000, but I suspect there is a folder with log files somewhere.
LVL 85

Expert Comment

ID: 11914556
If you haven't enabled auditing on the machine and the folder in question prior to the event, there's pretty much nothing you can do to find out who deleted what when. Windows by itself doesn't log deletion or creation of files unless told so.
The only option to find out which files were deleted is restoring a backup of the folder in question to another location, then compare the contents of the of the deleted folder with the restored folder.
LVL 96

Expert Comment

by:Lee W, MVP
ID: 11918776
I concur with oBdA - unless you previously enabled auditing for file access, there list no way I've every heard of to get your data back.  You can, of course, yank the drive(s) from the system and send them to a data recovery service, like OnTrack - but that would be my only suggestion - and there's no guarentee they will be able to recover the data or give any information on who deleted the files and/or when.
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Author Comment

ID: 11923702
I've recovered my data, my problem is I want to be able to tell when the files were deleted and by whom.  I checked an auditing was not turned on.  Is their anyother way to tell?  Are their any third party applications that I can that will tell me.  
LVL 85

Accepted Solution

oBdA earned 1000 total points
ID: 11925168
No way, sorry. As I said, if you have a daily backup, you can roughly determine the time of deletion by checking when the files started missing in the backups. Otherwise, without auditing enabled, Windows does not keep a record of who deleted what, where, and when. It's just an entry in the file table that gets removed.

Assisted Solution

kelo501 earned 1000 total points
ID: 11998379
the only way I can think of is to look at your back ups and note when the files were no longer being backed up.  That will put you at 24 hours...  Then compare the users with, full control/modify permisions on the directory/files in question.  By defult logons are logged on the DC.

Now you can refrence:
deletion date
users with permisions
users logged on durring relavent time frame.

That in no way tells you who did it but would confirm if the person suspected was able to do it.  It will also help you correct your security policy to prevent it from happening again.


Expert Comment

ID: 12022496

Did that help you sort it out at all?

If you need anyhelp setting either the Defult domain or local security policys for logging let me know.

in addtion there is a product call spectorCNE by spector software that provides for so really great user watching.


Expert Comment

ID: 12396897
thanks hewittg

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month10 days, 18 hours left to enroll

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question