• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 669
  • Last Modified:

Monitor deleted files

I have a Windows 2003 file server.  Once every few months an important directory is being deleted.  How to I configure file level monitoring on the directory, so I know who is deleting it?
1 Solution
Please check out this guide:
(How to audit File / Directory delete Operations on a Windows System using security auditing.)
Glen KnightCommented:
You need to enable auditing, see here for how: http://support.microsoft.com/kb/310399
How about make the directory itself read only or even read\write but remove the ability to delete it.

There are ways but not always the easiest to dig up\through; you need to enable auditing:


right click on the folder, go to sharing and security, then security tab, at the bottom click on advanced. Select the auditing tab, click add, select the group or users to track, then pick what actions you want to track.

To track file deletion you would enable:

Create files/Write data Success/Fail
Create folders / append data Success/Fail
Delete Subfolders/Files Success/Fail
Delete Suceess/Fail

Once thats done Windows will log all the information in the security event log
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

I could find a way to tell you who was deleting the file, but then to find out who the culprit is you have to experience the problem and associated inconveniences again.  Instead, I would DENY (in advanced security settings under the permissions tab for the directory in question) to "Delete" and "Delete Subfolders and Files" to everyone except for one or two "trusted accounts" or a trusted group.  Then go into "Local Security Policy" and edit the Local Security Settings | Local Policies | Audit Policy | Audit Object Access.  Open the Audit Object Access window and set the policy to "Audit Failure Attempts" only.  This will accomplish three things:
1) The problem will not recur unless the problem is a trusted individual
2) When someone attempts to delete this directory in the future they will be denied access and the audit object access failures will catch it.
3) Your logs will not fill up quickly because your only auditing failures and not successes.
Hope this helps
as mentioned before you could do auditing, however the first port of call is to see who has permission to that file and ensure that only people who need delete ability have it. MS shadow copy might also help you with the restoring previous versions...

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Tackle projects and never again get stuck behind a technical roadblock.
Join Now