Link to home
Start Free TrialLog in
Avatar of Shankar3003

asked on

audit for folder movement tracking

Hi, i have enabled audit for all folders and files. However in my event logs i am not able to find who has moved one folder to another location. How to enable tracking for this or view in event logs?
Avatar of MidnightOne
Flag of United States of America image

You'll be looking for file and folder auditing; in the local security settings, it's under Local Policies | audit policies, with the item being Audit Object Access.

Once done, you'll want to enable this ONLY on the folders you're suspicious of, because the security log will fill VERY quickly. gives an idea on how to do this much more eloquently that I could.
Avatar of Shankar3003


i have already enabled that. My question is how to know from event log id that this folder is moved? can give an example?
i also had a hard time reviewing that information.  i had software installed called event sentry to monitor something else when i discovered they added some additional file tracking functioanlity.  they have a query interface and you can query the folder that's missing and figure out who moved it and where.  anyway...FWIW.
Moving a file (or folder) is actually a two-stage operation: Copy the file from point A to point B, and delete it from point A.

Unfortunately, I do not have this type of monitoring in place, however you could create a new folder C:\TEST, copy a few files into it, then move it to another folder and see what events this throws into the security log.

I'd advise doing this after hours if only to lessen the number of events to filter through.
Avatar of JustMy2Cents
Flag of France image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You should use ScriptLogic's File System Auditor, It can all the file movement on the server for you. It can generate reports. The cost is not expensive either.

If you constantly seeing file moved or deleted but not knowing who did it to prevent them from happening again, this is the product.