Need help auditing disappearing files
Posted on 2008-10-15
I have a server 2008 file server running DFS to allow access to the data by the end users. I have the end users mapped to the namespace and that is how they work, \\domain.com\Production is mapped to T:\
I have an instance in the past few days that someone is coming to me every day saying files are missing randomly and have been deleted and they didn't do it. He also has some files that he said are being rolled back, ie he made changes at 3 PM today, but at 4 PM he went to make more changes and now it shows the file timestamps as 2 PM. This obviously is very confusing so I have taken the following steps...
On the local policy of the server turned on audit Object Access success and failure. I then went to the directory in question at the root and setup Everyone with success/failure on delete and delete subfolders and files.
There has been another case of this happening since I turned it on but I cant seem to find anything in the logs to tell me what is happening. Is there a specific event ID that tells me if it has been deleted? Also what do I need to check to tell me when something is being modified?
EDIT: I also seem to be pulling random logon events into my security log on this local machine when I know for a fact that these users are not logging into the server...what is going on with that?