Tracking who deleted files on Windows Server 2003

We had a folder deleted on our 2003 server and were looking to see who deleted. I followed the advice in link below, but did not do the trick. We need to know what file or folder was deleted and by who. Right now, I have 'Audit Object Access' under 'Audit Policty' set to track Sucess & Failure, but that does not track or specify the name of folder/file affected.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23211963.html 

Thank you.
htamraz1Director of TechnologyAsked:
Who is Participating?
 
oBdACommented:
As described in the link in the question you've linked above:
How to audit user access of files, folders, and printers in Windows XP
http://support.microsoft.com/kb/310399 
Auditing the file system requires two things:
- Enabling the policy auditing for object access
- Enabling auditing on the files and folders to be audited (basically the same way you assign NTFS permissions)
If only the auditing policy was enabled, but there were no auditing ACLs on the files, then I'm afraid you'll just have to restore the deleted folder from backup and live with the fact that there's no way to retroactively find out who deleted the folder.
Don't get carried away if you're planning to enable it now, though; enabling auditing on all folders for all users can bring down the most powerful file server and flood your security event log.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.