• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 676
  • Last Modified:

How to track user actions on deleting file and folder in windows domain?

This is using windows 2003 AD Domain. A DC, also works as file server. Recently, a subfolder in one of the shared folder was found deleted. I got a problem to track as not event being logged in the event viewer. What can I do to track?
0
Balack
Asked:
Balack
  • 6
  • 2
  • 2
  • +4
1 Solution
 
thabashCommented:
you cant track

solution: on the shared folder give the option to read only, if you dont want any body to delete files
why dont you try any recovery software do recover the delted file
where is your backup strategy
0
 
thabashCommented:
i advice you to use this software  PA File Sight 3.7
it will solve your issue

try thr trial version
http://www.poweradmin.com/file-sight/index.aspx?source=adwords&campaign=file-sight-search&adgroup=deleted-files&ad=009&gclid=CKKXhaO996ACFVMB4wodskcDGw
0
 
dexITCommented:
on the DC edit the GPO, you need to enable success and failure auditing for object access, enable it for the delete action and apply it to everyone (ad group)
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
BalackAuthor Commented:
I only want to track delete/add/modify shared folders on DC. Does it mean that I have to edit GPOs for Domain controller?
0
 
BalackAuthor Commented:
I did exactly as what dexIT told, and I can get security events for user actions on the selective shared folder. But, the event only show user, but not workstation. Is there a way to show workstation as well?
0
 
BalackAuthor Commented:
Hi DexIT,

Any suggestion?
0
 
Glen KnightCommented:
This can be done quite easily by enabling file and folder auditing as per: http://support.microsoft.com/kb/325898
0
 
Jim P.Commented:
You may also want to look at third party software. Do a google for "network auditing" software. Most of them can consolidate and flag exceptions. That isn't really in the basic windows package.
0
 
Erik BjersPrincipal Systems AdministratorCommented:
http://www.tripwire.com/ is the choice of many big companies as it can track who accessed a file, who wrote to it, deleted it, moved it, and many other things.

eb
0
 
BalackAuthor Commented:
Pls rule out using any 3rd party software. I'm only interested in using Microsoft way.
0
 
Rich RumbleSecurity SamuraiCommented:
Not only do you have to enable file/.folder auditing, you have to go to those files and folders and turn on the object access, and if not using a catch all like "authenticated users" or "everyone" you have to specify the users you want to audit...
As for the workstation, that is a separate event, you need to correlate where that user was logged on at the time of deletion, and or what machine that user connected from.
Right-click the file/folder you want to audit, go to properties, then security tab, then advanced button, then the Audit tab,  add, use a group, list individual's, or try a catch all like Everyone, then select the type of action you want to audit, and if it's a folder you might check the apply to subfolders (see attached)
-rich
object-access.PNG
0
 
BalackAuthor Commented:
Hi Richrumble,

I followed the steps as your previous mail, and I can get the audits in event log. But, the eventlog only shows the user name, it doesn't show the workstation in which where the user engaged the activities.

I don't have to event log snapshot as I have travel onsite to get it.
0
 
Rich RumbleSecurity SamuraiCommented:
It won't log the workstation, you'll have to correlate that on your own with other event log entries. You can find the same user name and the workstation in event 528 and 540's
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=540
-rich
0
 
BalackAuthor Commented:
Is ok
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 6
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now