Logging deleted files

I have a volume on one of our file servers (Server 2003 Standard) where people keep deleting files and sometimes groups of folders.  Now I've searched extensively for a solution using tracking events in the event manager for this type of thing, but so far have drawn a blank.

Is there any way I can track people who delete files from the file server volume, either by user name, IP or otherwise so that I can get some accountability for these actions.  having to keep reverting to the tape backups is becoming a significant pain in the ass.
LVL 1
zejokaAsked:
Who is Participating?
 
Pete LongTechnical ConsultantCommented:
Auditing Folder Access

To enable Auditing of access to files and folders (Microsoft call this type of auditing "Audit Object Access")
be aware of how auditing works,

You can audit a lot more in XP or Server 2003 than you could in older Operating systems (NT and 2K) but essentially
auditing will only ever flag two things,

1. <something> was successful (success)
2. <something was NOT successful (Failure)

By default all auditing on all objects is turned off (set to No Auditing)

For the following I'll assume you want to enable auditing on a folder called "Shared" on a server called "Server"
but these rules are exactly the same on a client.

Log into "Server"

1. Turn the auditing system on. Click Start  > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.

2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"

3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK

4. Exit the Group policy Editor

5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing

6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.

7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.

8. Select the "actions" you want to audit > OK >OK >OK

Audited Events will now be displayed in the event viewer > security log
0
 
Donnie4572Commented:
Actually,
You should set NTFS permissions and allow deletions only by users that are authorized to delete.
Knowing who deleted a file of folder will not help in the recovery process.

I have not heard of a way to do what you ask.....using windows. Maybe third party but it is doubtful.
0
 
garyraffertyCommented:
Hi
You can setup auditing for a volume and specify what actions you want to audit.

Goto properties on the volume click security tab and then click advanced tab then auditing tab then just select the users you want to audit and the action you want to audit.

0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
trarthurCommented:
If you are seeing a lot of parent folders getting deleted, you can set the Deny Delete NTFS permission on the folder.  Make sure and specify
"apply onto This Folder only".
0
 
zejokaAuthor Commented:
Yeah, I could deny via NTFS permissions, but people need to perform housekeeping within this particular volume, so this method is not practical in this case (as much as I'd love to alleviate the problem for good by this method)
0
 
Donnie4572Commented:
The solution provided above may meet your need.
Example:
If you audit a paticular folder for sucess then the last person that accessed it would have to be the person that deleted it.

However, I fail to see the need of knowing the name of the person that inadvertantly deleted a file since that information will not aid in the recovery. That information would only be useful to correct the person from deleting it again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.