Balack
asked on
How to track user actions on deleting file and folder in windows domain?
This is using windows 2003 AD Domain. A DC, also works as file server. Recently, a subfolder in one of the shared folder was found deleted. I got a problem to track as not event being logged in the event viewer. What can I do to track?
i advice you to use this software PA File Sight 3.7
it will solve your issue
try thr trial version
http://www.poweradmin.com/file-sight/index.aspx?source=adwords&campaign=file-sight-search&adgroup=deleted-files&ad=009&gclid=CKKXhaO996ACFVMB4wodskcDGw
it will solve your issue
try thr trial version
http://www.poweradmin.com/file-sight/index.aspx?source=adwords&campaign=file-sight-search&adgroup=deleted-files&ad=009&gclid=CKKXhaO996ACFVMB4wodskcDGw
on the DC edit the GPO, you need to enable success and failure auditing for object access, enable it for the delete action and apply it to everyone (ad group)
ASKER
I only want to track delete/add/modify shared folders on DC. Does it mean that I have to edit GPOs for Domain controller?
ASKER
I did exactly as what dexIT told, and I can get security events for user actions on the selective shared folder. But, the event only show user, but not workstation. Is there a way to show workstation as well?
ASKER
Hi DexIT,
Any suggestion?
Any suggestion?
This can be done quite easily by enabling file and folder auditing as per: http://support.microsoft.com/kb/325898
You may also want to look at third party software. Do a google for "network auditing" software. Most of them can consolidate and flag exceptions. That isn't really in the basic windows package.
http://www.tripwire.com/ is the choice of many big companies as it can track who accessed a file, who wrote to it, deleted it, moved it, and many other things.
eb
eb
ASKER
Pls rule out using any 3rd party software. I'm only interested in using Microsoft way.
Not only do you have to enable file/.folder auditing, you have to go to those files and folders and turn on the object access, and if not using a catch all like "authenticated users" or "everyone" you have to specify the users you want to audit...
As for the workstation, that is a separate event, you need to correlate where that user was logged on at the time of deletion, and or what machine that user connected from.
Right-click the file/folder you want to audit, go to properties, then security tab, then advanced button, then the Audit tab, add, use a group, list individual's, or try a catch all like Everyone, then select the type of action you want to audit, and if it's a folder you might check the apply to subfolders (see attached)
-rich
object-access.PNG
As for the workstation, that is a separate event, you need to correlate where that user was logged on at the time of deletion, and or what machine that user connected from.
Right-click the file/folder you want to audit, go to properties, then security tab, then advanced button, then the Audit tab, add, use a group, list individual's, or try a catch all like Everyone, then select the type of action you want to audit, and if it's a folder you might check the apply to subfolders (see attached)
-rich
object-access.PNG
ASKER
Hi Richrumble,
I followed the steps as your previous mail, and I can get the audits in event log. But, the eventlog only shows the user name, it doesn't show the workstation in which where the user engaged the activities.
I don't have to event log snapshot as I have travel onsite to get it.
I followed the steps as your previous mail, and I can get the audits in event log. But, the eventlog only shows the user name, it doesn't show the workstation in which where the user engaged the activities.
I don't have to event log snapshot as I have travel onsite to get it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is ok
solution: on the shared folder give the option to read only, if you dont want any body to delete files
why dont you try any recovery software do recover the delted file
where is your backup strategy