Solved

Logging deleted files

Posted on 2006-10-31
9
1,882 Views
Last Modified: 2009-05-18
I have a volume on one of our file servers (Server 2003 Standard) where people keep deleting files and sometimes groups of folders.  Now I've searched extensively for a solution using tracking events in the event manager for this type of thing, but so far have drawn a blank.

Is there any way I can track people who delete files from the file server volume, either by user name, IP or otherwise so that I can get some accountability for these actions.  having to keep reverting to the tape backups is becoming a significant pain in the ass.
0
Comment
Question by:zejoka
9 Comments
 
LVL 12

Expert Comment

by:Donnie4572
ID: 17844193
Actually,
You should set NTFS permissions and allow deletions only by users that are authorized to delete.
Knowing who deleted a file of folder will not help in the recovery process.

I have not heard of a way to do what you ask.....using windows. Maybe third party but it is doubtful.
0
 
LVL 8

Expert Comment

by:garyrafferty
ID: 17844272
Hi
You can setup auditing for a volume and specify what actions you want to audit.

Goto properties on the volume click security tab and then click advanced tab then auditing tab then just select the users you want to audit and the action you want to audit.

0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 17844363
Auditing Folder Access

To enable Auditing of access to files and folders (Microsoft call this type of auditing "Audit Object Access")
be aware of how auditing works,

You can audit a lot more in XP or Server 2003 than you could in older Operating systems (NT and 2K) but essentially
auditing will only ever flag two things,

1. <something> was successful (success)
2. <something was NOT successful (Failure)

By default all auditing on all objects is turned off (set to No Auditing)

For the following I'll assume you want to enable auditing on a folder called "Shared" on a server called "Server"
but these rules are exactly the same on a client.

Log into "Server"

1. Turn the auditing system on. Click Start  > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.

2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"

3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK

4. Exit the Group policy Editor

5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing

6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.

7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.

8. Select the "actions" you want to audit > OK >OK >OK

Audited Events will now be displayed in the event viewer > security log
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 10

Expert Comment

by:stafi
ID: 17844449
0
 
LVL 5

Expert Comment

by:trarthur
ID: 17845074
If you are seeing a lot of parent folders getting deleted, you can set the Deny Delete NTFS permission on the folder.  Make sure and specify
"apply onto This Folder only".
0
 
LVL 1

Author Comment

by:zejoka
ID: 17845140
Yeah, I could deny via NTFS permissions, but people need to perform housekeeping within this particular volume, so this method is not practical in this case (as much as I'd love to alleviate the problem for good by this method)
0
 
LVL 12

Expert Comment

by:Donnie4572
ID: 17845222
The solution provided above may meet your need.
Example:
If you audit a paticular folder for sucess then the last person that accessed it would have to be the person that deleted it.

However, I fail to see the need of knowing the name of the person that inadvertantly deleted a file since that information will not aid in the recovery. That information would only be useful to correct the person from deleting it again.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now