Solved

Logging deleted files

Posted on 2006-10-31
9
1,887 Views
Last Modified: 2009-05-18
I have a volume on one of our file servers (Server 2003 Standard) where people keep deleting files and sometimes groups of folders.  Now I've searched extensively for a solution using tracking events in the event manager for this type of thing, but so far have drawn a blank.

Is there any way I can track people who delete files from the file server volume, either by user name, IP or otherwise so that I can get some accountability for these actions.  having to keep reverting to the tape backups is becoming a significant pain in the ass.
0
Comment
Question by:zejoka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 12

Expert Comment

by:Donnie4572
ID: 17844193
Actually,
You should set NTFS permissions and allow deletions only by users that are authorized to delete.
Knowing who deleted a file of folder will not help in the recovery process.

I have not heard of a way to do what you ask.....using windows. Maybe third party but it is doubtful.
0
 
LVL 8

Expert Comment

by:garyrafferty
ID: 17844272
Hi
You can setup auditing for a volume and specify what actions you want to audit.

Goto properties on the volume click security tab and then click advanced tab then auditing tab then just select the users you want to audit and the action you want to audit.

0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 17844363
Auditing Folder Access

To enable Auditing of access to files and folders (Microsoft call this type of auditing "Audit Object Access")
be aware of how auditing works,

You can audit a lot more in XP or Server 2003 than you could in older Operating systems (NT and 2K) but essentially
auditing will only ever flag two things,

1. <something> was successful (success)
2. <something was NOT successful (Failure)

By default all auditing on all objects is turned off (set to No Auditing)

For the following I'll assume you want to enable auditing on a folder called "Shared" on a server called "Server"
but these rules are exactly the same on a client.

Log into "Server"

1. Turn the auditing system on. Click Start  > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.

2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"

3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK

4. Exit the Group policy Editor

5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing

6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.

7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.

8. Select the "actions" you want to audit > OK >OK >OK

Audited Events will now be displayed in the event viewer > security log
0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 
LVL 5

Expert Comment

by:trarthur
ID: 17845074
If you are seeing a lot of parent folders getting deleted, you can set the Deny Delete NTFS permission on the folder.  Make sure and specify
"apply onto This Folder only".
0
 
LVL 1

Author Comment

by:zejoka
ID: 17845140
Yeah, I could deny via NTFS permissions, but people need to perform housekeeping within this particular volume, so this method is not practical in this case (as much as I'd love to alleviate the problem for good by this method)
0
 
LVL 12

Expert Comment

by:Donnie4572
ID: 17845222
The solution provided above may meet your need.
Example:
If you audit a paticular folder for sucess then the last person that accessed it would have to be the person that deleted it.

However, I fail to see the need of knowing the name of the person that inadvertantly deleted a file since that information will not aid in the recovery. That information would only be useful to correct the person from deleting it again.
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question