Windows 2003 File Server - Delete Tracking

My file server is running Windows 2003 Enterprise R2.  Is there a way to track which user name deletes specific files?
Who is Participating?
Toni UranjekConnect With a Mentor Consultant/TrainerCommented:
Hi deklinm,

Yes. First enable Object access auditing on file server through local policy or with GPO. Then go to folder you wish to monitor, right click, select Properties, go to Security tab, click Advanced button go to Auditing tab. Select group/user you want to monito, select Delete file Success/failure. Then check security log for two events: 560 and 564 to extract info which user has succesfuly delete file.

Step-bystep guides:

"Define or modify auditing policy settings for an event category"

"Apply or modify auditing policy settings for a local file or folder"


L3370Connect With a Mentor Commented:
Yes. You can set Auditing.

Here is a Microsoft KB article that describes the process.\

You will have to specify the folders and files you want to audit.  

Also.. Make sure you have the space for this!  The logs on this kind of process can easily become large and unwieldy.  Make sure your event logs can reach the size or overwrite as needed.
toniur, you are a worthy adversary...beat me to the punch :P
cobra09Connect With a Mentor Commented:
Enable Auditing is one part of the solution. Because it will throw 100 thousand entries making it difficult to track..

Please see the attached PDF.
supergggConnect With a Mentor Commented:

FileSure by bystorm software will do what you are looking for.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.