[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1050
  • Last Modified:

How can I find out who deleted a folder from a File Server?

I am running a file server using Windows Server 2008 R2 Enterprise.  Files reside in an ISCSi drive on same server.  I have been restoring files from backups but now its becoming a pain in the buttocks.  I would like to know if there is a feature I can turn on to be able to see who made the deletion or move.

Thanks
0
IgaravidezK
Asked:
IgaravidezK
  • 5
  • 2
  • 2
  • +1
1 Solution
 
Joseph DalyCommented:
You would need to have already had auditing turned on on the server. Then you would have to look through the event logs for a success audit for the folder itself. If you did not have auditing already enabled and configured properly you will most likely not be able to find out who deleted this file.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Enable Auditing.

See:
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access

Then such actions can be looked up in the Security Event Log.
0
 
Randy DownsOWNERCommented:
This is for an older version of server but probably still applies

http://www.suramya.com/blog/2007/10/how-to-find-out-who-deleted-a-particular-file/

enable auditing the folder you want to keep track of. Just right click on the folder, go to “sharing and security”, then “security” tab, at the bottom click on “advanced”. Select the auditing tab, click add, select the group or users to track, then pick what actions you want to track.

To track file deletion you would enable:

Create files/Write data Success/Fail
Create folders / append data Success/Fail
Delete Subfolders/Files Success/Fail
Delete Suceess/Fail

Once thats done Windows will log all the information in the security event log.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
IgaravidezKAuthor Commented:
Thank you Leew.  The post was very helpful.  How do I tighten up the security logs so I only get the File system logs and nothing else?
0
 
IgaravidezKAuthor Commented:
Also, which permission do I have to deny if someone wants to move a folder into another folder?

Sorry, but I am newe at this.

Thanks
0
 
Randy DownsOWNERCommented:
If you don't want them to move folders you just give them read privileges.
0
 
IgaravidezKAuthor Commented:
My mistake.  I also want them to be able to creat folders and files within the folder.  I am denying the DELETE option but no mention of a move.  Is that the same as Delete?
0
 
IgaravidezKAuthor Commented:
I've requested that this question be deleted for the following reason:

None of the answers were helpful and don't think AD is able to do this request
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
I object.  The question asked: "I would like to know if there is a feature I can turn on to be able to see who made the deletion or move."

The answer I provided was: "Enable Auditing." and provided a link.  Subsequently, the asker stated: "Thank you Leew.  The post was very helpful."  As for the subsequent question within that very same comment - you filter the logs like you would any other event log for just the data you want.  Or export the logs as a CSV and analyze them in Excel.

0
 
IgaravidezKAuthor Commented:
Yes, you  are correct.  We did try it and assumed it would help as we started to get all in all audit info.  But in the end could not give me info for user.  Apparently there is no auditing for just a move or rename of folders.  Thanks anyhow
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 5
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now