Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Logging deleted files

Posted on 2006-10-31
9
Medium Priority
?
1,890 Views
Last Modified: 2009-05-18
I have a volume on one of our file servers (Server 2003 Standard) where people keep deleting files and sometimes groups of folders.  Now I've searched extensively for a solution using tracking events in the event manager for this type of thing, but so far have drawn a blank.

Is there any way I can track people who delete files from the file server volume, either by user name, IP or otherwise so that I can get some accountability for these actions.  having to keep reverting to the tape backups is becoming a significant pain in the ass.
0
Comment
Question by:zejoka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 12

Expert Comment

by:Donnie4572
ID: 17844193
Actually,
You should set NTFS permissions and allow deletions only by users that are authorized to delete.
Knowing who deleted a file of folder will not help in the recovery process.

I have not heard of a way to do what you ask.....using windows. Maybe third party but it is doubtful.
0
 
LVL 8

Expert Comment

by:garyrafferty
ID: 17844272
Hi
You can setup auditing for a volume and specify what actions you want to audit.

Goto properties on the volume click security tab and then click advanced tab then auditing tab then just select the users you want to audit and the action you want to audit.

0
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 17844363
Auditing Folder Access

To enable Auditing of access to files and folders (Microsoft call this type of auditing "Audit Object Access")
be aware of how auditing works,

You can audit a lot more in XP or Server 2003 than you could in older Operating systems (NT and 2K) but essentially
auditing will only ever flag two things,

1. <something> was successful (success)
2. <something was NOT successful (Failure)

By default all auditing on all objects is turned off (set to No Auditing)

For the following I'll assume you want to enable auditing on a folder called "Shared" on a server called "Server"
but these rules are exactly the same on a client.

Log into "Server"

1. Turn the auditing system on. Click Start  > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.

2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"

3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK

4. Exit the Group policy Editor

5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing

6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.

7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.

8. Select the "actions" you want to audit > OK >OK >OK

Audited Events will now be displayed in the event viewer > security log
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 5

Expert Comment

by:trarthur
ID: 17845074
If you are seeing a lot of parent folders getting deleted, you can set the Deny Delete NTFS permission on the folder.  Make sure and specify
"apply onto This Folder only".
0
 
LVL 1

Author Comment

by:zejoka
ID: 17845140
Yeah, I could deny via NTFS permissions, but people need to perform housekeeping within this particular volume, so this method is not practical in this case (as much as I'd love to alleviate the problem for good by this method)
0
 
LVL 12

Expert Comment

by:Donnie4572
ID: 17845222
The solution provided above may meet your need.
Example:
If you audit a paticular folder for sucess then the last person that accessed it would have to be the person that deleted it.

However, I fail to see the need of knowing the name of the person that inadvertantly deleted a file since that information will not aid in the recovery. That information would only be useful to correct the person from deleting it again.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question