Solved

Tracking deleted files on a Windows 2000 Server

Posted on 2006-10-19
1
177 Views
Last Modified: 2010-03-18
Hi

We are using a Windows 2000 SP4 server as our main file server. Client machines are using Windows XP SP2.

Very occasionally, we get users complaining that the odd folder on the file server has been deleted...we normally carry out a search for it and it turns out the folder
has been accidentally moved.

However, a user reported a bunch of folders and subfolders missing yesterday. We carried out a search to no avail, so we had to restore from backup.

Is there any way we can track/audit what happened to these files? I suppose we may be too late in this case, but perhaps in the future?

Many thanks
0
Comment
Question by:Dilan77
1 Comment
 
LVL 9

Accepted Solution

by:
trenes earned 250 total points
ID: 17764624
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/13w2kadc.mspx
Auditing Files and Folders
If you configure a group policy to enable the Audit Object Access option, you can set the level of auditing for individual folders and files. This allows you to control precisely how folder and file usage is tracked. Auditing of this type is only available on NTFS volumes.

You can configure file and folder auditing by completing the following steps:

1. In Windows Explorer, right-click the file or folder to be audited, and then from the pop-up menu select Properties.
2. Choose the Security tab, and then click Advanced.
3. In the Access Control Settings dialog box, select the Auditing tab, shown in Figure 13-15.
4. If you want to inherit auditing settings from a parent object, ensure that Allow Inheritable Auditing Entries From Parent To Propagate To This Object is selected.
5. If you want child objects of the current object to inherit the settings, select Reset Auditing Entries On All Child Objects And Enable Propagation Of Inheritable Auditing Entries.
6. Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box, and then click Remove.
7. To add specific accounts, click Add, and then use the Select Users, Contacts, Computers, Or Groups dialog box to select an account name to add.

Note: If you want to audit actions for all users, use the special group Everyone. Otherwise, select the specific user groups or users, or both, that you want to audit.
 
8. As necessary, use the Apply Onto drop-down list box to specify where objects are audited.
9. Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as successful file reads. Failed logs failed events, such as failed file deletions. The events you can audit are the same as the special permissions listed in Table 13-5—except you can't audit synchronizing of offline files and folders.

10.Choose OK when you're finished. Repeat this process to audit other users, groups, or computers.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question