audit for folder movement tracking

Hi, i have enabled audit for all folders and files. However in my event logs i am not able to find who has moved one folder to another location. How to enable tracking for this or view in event logs?
Shankar3003Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MidnightOneCommented:
You'll be looking for file and folder auditing; in the local security settings, it's under Local Policies | audit policies, with the item being Audit Object Access.

Once done, you'll want to enable this ONLY on the folders you're suspicious of, because the security log will fill VERY quickly.

http://techrepublic.com.com/5208-11184-0.html?forumID=39&threadID=171854&messageID=1748716 gives an idea on how to do this much more eloquently that I could.
Shankar3003Author Commented:
i have already enabled that. My question is how to know from event log id that this folder is moved? can give an example?
digitapCommented:
i also had a hard time reviewing that information.  i had software installed called event sentry to monitor something else when i discovered they added some additional file tracking functioanlity.  they have a query interface and you can query the folder that's missing and figure out who moved it and where.  anyway...FWIW.
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

MidnightOneCommented:
Moving a file (or folder) is actually a two-stage operation: Copy the file from point A to point B, and delete it from point A.

Unfortunately, I do not have this type of monitoring in place, however you could create a new folder C:\TEST, copy a few files into it, then move it to another folder and see what events this throws into the security log.

I'd advise doing this after hours if only to lessen the number of events to filter through.
JustMy2CentsCommented:
FileAudit (http://www.fileaudit.com) might help you, as this 3rd-party software solution displays for:

- a file
- a selection of files
- a folder and subfolders
- a selection of folders and subfolders

the list of:

- read/write accesses
- file deletion attempts (accepted or denied)
- appropriation attempts (accepted or denied)
- permission modification attempts (accepted or denied)


each record detailing:

- the user
- the domain
- the date and time of connection and disconnection

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ZTeckCommented:
You should use ScriptLogic's File System Auditor, http://www.scriptlogic.com/products/filesystemauditor. It can all the file movement on the server for you. It can generate reports. The cost is not expensive either.

If you constantly seeing file moved or deleted but not knowing who did it to prevent them from happening again, this is the product.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server Apps

From novice to tech pro — start learning today.