Someone logged me off how can i find who and did what


I had Ctrl Alt Del my machine and out of office.Some one restarted my machine and logged in as the Domain Administrator and logged of the system.I want to find what they did after logging in to my machine.
Did they delete any file ,Copy,Move,Editted any files etc.Is there  a way to find this.

LVL 11
Who is Participating?
ashutosh_kumarConnect With a Mentor Commented:
by default auditing is disabled.

for enabling it, you need to set auditing on the folders you want to monitor. Secondly you need to enable auditing from the group policy.

after enabling this, events are logged in the event viewer if any changes are made to the files/folders...

also, you can choose what events to log like read/delete...etc.
you can find out who did log you out from the security log in the event viewer or computer management.

however for the files, if auditing is enabled and group policy has been enabled for "Audit Object access", then only you can find out what files have changed...

else try to find out the modified files by date/time
speshalystConnect With a Mentor Commented:

I think we have beaten this up pretty bad ealrlier...

If you had enabled Files Access Audits on your NTFS drives, you can find out.. what files were accessed..

If not.. i dont see a better way!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.