Windows server 2003 - auditing -who moved some files?

Posted on 2007-10-12
Last Modified: 2013-12-04
A folder was moved to another and the person who did this has not come forward.
The pc holding the files is a Win 2003 server sp2.
The files we considered deleted at first.
Auditing has been set up on the drive but how do I tell who moved the folders in question?
Question by:gpersand
    LVL 30

    Expert Comment

    A move operation is logged as a deletion on the source server and a creation on the target server (if different).  Assuming that you are auditing Success for object access events, both of these events will be logged in the Security log of the Windows Event Viewer.

    If you did not have auditing enabled at the time that the files were moved, there is unfortunately no way to go back in time and audit after the fact.
    LVL 70

    Expert Comment

    Auditing is not retrospecive, if its not enabled when the acton occurs then there is no way to capture past events.

    To audit this sort of event you will need to enable the auditing of object access for "success" and then enable the auditing of events on the specific foders See

    Even then detecting the precise event you want is not easy as their is likely to be a lot of events recorded, you can reduce the list by using filtering of the security log ( or using the LogParser utility (

    Author Comment

    Auditing was enabled.

    Wth respect to the auditing setup.
    The only attribute that was enabled for the audit was "delete" success and failure.
    What attribute needs to be enabled to show if files have been moved from one subfolder to another?
    LVL 30

    Accepted Solution

    As I indicated above, you need to be auditing for successful deletions on the source, and successful creations on the destination server (if it is the same physical server, you need to audit for successful deletions and creations on the same server.)

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now