Solved

Logging deleted files

Posted on 2006-10-31
9
1,886 Views
Last Modified: 2009-05-18
I have a volume on one of our file servers (Server 2003 Standard) where people keep deleting files and sometimes groups of folders.  Now I've searched extensively for a solution using tracking events in the event manager for this type of thing, but so far have drawn a blank.

Is there any way I can track people who delete files from the file server volume, either by user name, IP or otherwise so that I can get some accountability for these actions.  having to keep reverting to the tape backups is becoming a significant pain in the ass.
0
Comment
Question by:zejoka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 12

Expert Comment

by:Donnie4572
ID: 17844193
Actually,
You should set NTFS permissions and allow deletions only by users that are authorized to delete.
Knowing who deleted a file of folder will not help in the recovery process.

I have not heard of a way to do what you ask.....using windows. Maybe third party but it is doubtful.
0
 
LVL 8

Expert Comment

by:garyrafferty
ID: 17844272
Hi
You can setup auditing for a volume and specify what actions you want to audit.

Goto properties on the volume click security tab and then click advanced tab then auditing tab then just select the users you want to audit and the action you want to audit.

0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 17844363
Auditing Folder Access

To enable Auditing of access to files and folders (Microsoft call this type of auditing "Audit Object Access")
be aware of how auditing works,

You can audit a lot more in XP or Server 2003 than you could in older Operating systems (NT and 2K) but essentially
auditing will only ever flag two things,

1. <something> was successful (success)
2. <something was NOT successful (Failure)

By default all auditing on all objects is turned off (set to No Auditing)

For the following I'll assume you want to enable auditing on a folder called "Shared" on a server called "Server"
but these rules are exactly the same on a client.

Log into "Server"

1. Turn the auditing system on. Click Start  > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.

2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"

3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK

4. Exit the Group policy Editor

5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing

6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.

7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.

8. Select the "actions" you want to audit > OK >OK >OK

Audited Events will now be displayed in the event viewer > security log
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 10

Expert Comment

by:stafi
ID: 17844449
0
 
LVL 5

Expert Comment

by:trarthur
ID: 17845074
If you are seeing a lot of parent folders getting deleted, you can set the Deny Delete NTFS permission on the folder.  Make sure and specify
"apply onto This Folder only".
0
 
LVL 1

Author Comment

by:zejoka
ID: 17845140
Yeah, I could deny via NTFS permissions, but people need to perform housekeeping within this particular volume, so this method is not practical in this case (as much as I'd love to alleviate the problem for good by this method)
0
 
LVL 12

Expert Comment

by:Donnie4572
ID: 17845222
The solution provided above may meet your need.
Example:
If you audit a paticular folder for sucess then the last person that accessed it would have to be the person that deleted it.

However, I fail to see the need of knowing the name of the person that inadvertantly deleted a file since that information will not aid in the recovery. That information would only be useful to correct the person from deleting it again.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question