We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

How can I find out who deleted a folder from a File Server?

Medium Priority
1,099 Views
Last Modified: 2012-06-27
I am running a file server using Windows Server 2008 R2 Enterprise.  Files reside in an ISCSi drive on same server.  I have been restoring files from backups but now its becoming a pain in the buttocks.  I would like to know if there is a feature I can turn on to be able to see who made the deletion or move.

Thanks
Comment
Watch Question

CERTIFIED EXPERT

Commented:
You would need to have already had auditing turned on on the server. Then you would have to look through the event logs for a success audit for the folder itself. If you did not have auditing already enabled and configured properly you will most likely not be able to find out who deleted this file.
Lee W, MVPTechnology and Business Process Advisor
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
Enable Auditing.

See:
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access

Then such actions can be looked up in the Security Event Log.
CERTIFIED EXPERT

Commented:
This is for an older version of server but probably still applies

http://www.suramya.com/blog/2007/10/how-to-find-out-who-deleted-a-particular-file/

enable auditing the folder you want to keep track of. Just right click on the folder, go to “sharing and security”, then “security” tab, at the bottom click on “advanced”. Select the auditing tab, click add, select the group or users to track, then pick what actions you want to track.

To track file deletion you would enable:

Create files/Write data Success/Fail
Create folders / append data Success/Fail
Delete Subfolders/Files Success/Fail
Delete Suceess/Fail

Once thats done Windows will log all the information in the security event log.

Author

Commented:
Thank you Leew.  The post was very helpful.  How do I tighten up the security logs so I only get the File system logs and nothing else?

Author

Commented:
Also, which permission do I have to deny if someone wants to move a folder into another folder?

Sorry, but I am newe at this.

Thanks
CERTIFIED EXPERT

Commented:
If you don't want them to move folders you just give them read privileges.

Author

Commented:
My mistake.  I also want them to be able to creat folders and files within the folder.  I am denying the DELETE option but no mention of a move.  Is that the same as Delete?

Author

Commented:
I've requested that this question be deleted for the following reason:

None of the answers were helpful and don't think AD is able to do this request
Technology and Business Process Advisor
CERTIFIED EXPERT
Most Valuable Expert 2013
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Yes, you  are correct.  We did try it and assumed it would help as we started to get all in all audit info.  But in the end could not give me info for user.  Apparently there is no auditing for just a move or rename of folders.  Thanks anyhow
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.