Windows server 2003 - auditing -who moved some files?

A folder was moved to another and the person who did this has not come forward.
The pc holding the files is a Win 2003 server sp2.
The files we considered deleted at first.
Auditing has been set up on the drive but how do I tell who moved the folders in question?
Who is Participating?
LauraEHunterMVPConnect With a Mentor Commented:
As I indicated above, you need to be auditing for successful deletions on the source, and successful creations on the destination server (if it is the same physical server, you need to audit for successful deletions and creations on the same server.)
A move operation is logged as a deletion on the source server and a creation on the target server (if different).  Assuming that you are auditing Success for object access events, both of these events will be logged in the Security log of the Windows Event Viewer.

If you did not have auditing enabled at the time that the files were moved, there is unfortunately no way to go back in time and audit after the fact.
Brian PiercePhotographerCommented:
Auditing is not retrospecive, if its not enabled when the acton occurs then there is no way to capture past events.

To audit this sort of event you will need to enable the auditing of object access for "success" and then enable the auditing of events on the specific foders See

Even then detecting the precise event you want is not easy as their is likely to be a lot of events recorded, you can reduce the list by using filtering of the security log ( or using the LogParser utility (
gpersandAuthor Commented:
Auditing was enabled.

Wth respect to the auditing setup.
The only attribute that was enabled for the audit was "delete" success and failure.
What attribute needs to be enabled to show if files have been moved from one subfolder to another?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.