We help IT Professionals succeed at work.

Windows 2003 File Server - Delete Tracking

deklinm
deklinm asked
on
Medium Priority
884 Views
Last Modified: 2012-05-06
My file server is running Windows 2003 Enterprise R2.  Is there a way to track which user name deletes specific files?
Comment
Watch Question

Consultant/Trainer
Commented:
Hi deklinm,

Yes. First enable Object access auditing on file server through local policy or with GPO. Then go to folder you wish to monitor, right click, select Properties, go to Security tab, click Advanced button go to Auditing tab. Select group/user you want to monito, select Delete file Success/failure. Then check security log for two events: 560 and 564 to extract info which user has succesfuly delete file.

Step-bystep guides:

"Define or modify auditing policy settings for an event category"
http://technet.microsoft.com/en-us/library/cc787268.aspx

"Apply or modify auditing policy settings for a local file or folder"
http://technet.microsoft.com/en-us/library/cc784387.aspx

HTH

Toni

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Commented:
Yes. You can set Auditing.

Here is a Microsoft KB article that describes the process.\
http://support.microsoft.com/kb/310399

You will have to specify the folders and files you want to audit.  

Also.. Make sure you have the space for this!  The logs on this kind of process can easily become large and unwieldy.  Make sure your event logs can reach the size or overwrite as needed.

Commented:
toniur, you are a worthy adversary...beat me to the punch :P
Commented:
Enable Auditing is one part of the solution. Because it will throw 100 thousand entries making it difficult to track..

Please see the attached PDF.
System-Admin-Tips--How-to-audit-.pdf
Commented:

FileSure by bystorm software will do what you are looking for.
www.bystorm.com
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.