How to track user actions on deleting file and folder in windows domain?

This is using windows 2003 AD Domain. A DC, also works as file server. Recently, a subfolder in one of the shared folder was found deleted. I got a problem to track as not event being logged in the event viewer. What can I do to track?
BalackAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

thabashCommented:
you cant track

solution: on the shared folder give the option to read only, if you dont want any body to delete files
why dont you try any recovery software do recover the delted file
where is your backup strategy
0
thabashCommented:
i advice you to use this software  PA File Sight 3.7
it will solve your issue

try thr trial version
http://www.poweradmin.com/file-sight/index.aspx?source=adwords&campaign=file-sight-search&adgroup=deleted-files&ad=009&gclid=CKKXhaO996ACFVMB4wodskcDGw
0
dexITCommented:
on the DC edit the GPO, you need to enable success and failure auditing for object access, enable it for the delete action and apply it to everyone (ad group)
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

BalackAuthor Commented:
I only want to track delete/add/modify shared folders on DC. Does it mean that I have to edit GPOs for Domain controller?
0
BalackAuthor Commented:
I did exactly as what dexIT told, and I can get security events for user actions on the selective shared folder. But, the event only show user, but not workstation. Is there a way to show workstation as well?
0
BalackAuthor Commented:
Hi DexIT,

Any suggestion?
0
Glen KnightCommented:
This can be done quite easily by enabling file and folder auditing as per: http://support.microsoft.com/kb/325898
0
Jim P.Commented:
You may also want to look at third party software. Do a google for "network auditing" software. Most of them can consolidate and flag exceptions. That isn't really in the basic windows package.
0
Erik BjersPrincipal Systems AdministratorCommented:
http://www.tripwire.com/ is the choice of many big companies as it can track who accessed a file, who wrote to it, deleted it, moved it, and many other things.

eb
0
BalackAuthor Commented:
Pls rule out using any 3rd party software. I'm only interested in using Microsoft way.
0
Rich RumbleSecurity SamuraiCommented:
Not only do you have to enable file/.folder auditing, you have to go to those files and folders and turn on the object access, and if not using a catch all like "authenticated users" or "everyone" you have to specify the users you want to audit...
As for the workstation, that is a separate event, you need to correlate where that user was logged on at the time of deletion, and or what machine that user connected from.
Right-click the file/folder you want to audit, go to properties, then security tab, then advanced button, then the Audit tab,  add, use a group, list individual's, or try a catch all like Everyone, then select the type of action you want to audit, and if it's a folder you might check the apply to subfolders (see attached)
-rich
object-access.PNG
0
BalackAuthor Commented:
Hi Richrumble,

I followed the steps as your previous mail, and I can get the audits in event log. But, the eventlog only shows the user name, it doesn't show the workstation in which where the user engaged the activities.

I don't have to event log snapshot as I have travel onsite to get it.
0
Rich RumbleSecurity SamuraiCommented:
It won't log the workstation, you'll have to correlate that on your own with other event log entries. You can find the same user name and the workstation in event 528 and 540's
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=540
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BalackAuthor Commented:
Is ok
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.