[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Windows server 2003 - auditing -who moved some files?

Posted on 2007-10-12
Medium Priority
Last Modified: 2013-12-04
A folder was moved to another and the person who did this has not come forward.
The pc holding the files is a Win 2003 server sp2.
The files we considered deleted at first.
Auditing has been set up on the drive but how do I tell who moved the folders in question?
Question by:gpersand
  • 2
LVL 30

Expert Comment

ID: 20067353
A move operation is logged as a deletion on the source server and a creation on the target server (if different).  Assuming that you are auditing Success for object access events, both of these events will be logged in the Security log of the Windows Event Viewer.

If you did not have auditing enabled at the time that the files were moved, there is unfortunately no way to go back in time and audit after the fact.
LVL 70

Expert Comment

ID: 20069702
Auditing is not retrospecive, if its not enabled when the acton occurs then there is no way to capture past events.

To audit this sort of event you will need to enable the auditing of object access for "success" and then enable the auditing of events on the specific foders See http://technet2.microsoft.com/windowsserver/en/library/ecf63dcf-17e7-4279-91ff-beb11bd0d6881033.mspx?mfr=true

Even then detecting the precise event you want is not easy as their is likely to be a lot of events recorded, you can reduce the list by using filtering of the security log ( http://support.microsoft.com/kb/308427) or using the LogParser utility (http://www.windowsitpro.com/Articles/ArticleID/43827/43827.html?Ad=1).

Author Comment

ID: 20101138
Auditing was enabled.

Wth respect to the auditing setup.
The only attribute that was enabled for the audit was "delete" success and failure.
What attribute needs to be enabled to show if files have been moved from one subfolder to another?
LVL 30

Accepted Solution

LauraEHunterMVP earned 2000 total points
ID: 20101415
As I indicated above, you need to be auditing for successful deletions on the source, and successful creations on the destination server (if it is the same physical server, you need to audit for successful deletions and creations on the same server.)

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question