Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 899
  • Last Modified:

Tracking who deleted files on Windows Server 2003

We had a folder deleted on our 2003 server and were looking to see who deleted. I followed the advice in link below, but did not do the trick. We need to know what file or folder was deleted and by who. Right now, I have 'Audit Object Access' under 'Audit Policty' set to track Sucess & Failure, but that does not track or specify the name of folder/file affected.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23211963.html 

Thank you.
0
htamraz1
Asked:
htamraz1
1 Solution
 
oBdACommented:
As described in the link in the question you've linked above:
How to audit user access of files, folders, and printers in Windows XP
http://support.microsoft.com/kb/310399 
Auditing the file system requires two things:
- Enabling the policy auditing for object access
- Enabling auditing on the files and folders to be audited (basically the same way you assign NTFS permissions)
If only the auditing policy was enabled, but there were no auditing ACLs on the files, then I'm afraid you'll just have to restore the deleted folder from backup and live with the fact that there's no way to retroactively find out who deleted the folder.
Don't get carried away if you're planning to enable it now, though; enabling auditing on all folders for all users can bring down the most powerful file server and flood your security event log.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now