IgaravidezK
asked on
How can I find out who deleted a folder from a File Server?
I am running a file server using Windows Server 2008 R2 Enterprise. Files reside in an ISCSi drive on same server. I have been restoring files from backups but now its becoming a pain in the buttocks. I would like to know if there is a feature I can turn on to be able to see who made the deletion or move.
Thanks
Thanks
Joseph Daly
You would need to have already had auditing turned on on the server. Then you would have to look through the event logs for a success audit for the folder itself. If you did not have auditing already enabled and configured properly you will most likely not be able to find out who deleted this file.
Enable Auditing.
See:
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
Then such actions can be looked up in the Security Event Log.
See:
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
Then such actions can be looked up in the Security Event Log.
This is for an older version of server but probably still applies
http://www.suramya.com/blog/2007/10/how-to-find-out-who-deleted-a-particular-file/
http://www.suramya.com/blog/2007/10/how-to-find-out-who-deleted-a-particular-file/
enable auditing the folder you want to keep track of. Just right click on the folder, go to “sharing and security”, then “security” tab, at the bottom click on “advanced”. Select the auditing tab, click add, select the group or users to track, then pick what actions you want to track.
To track file deletion you would enable:
Create files/Write data Success/Fail
Create folders / append data Success/Fail
Delete Subfolders/Files Success/Fail
Delete Suceess/Fail
Once thats done Windows will log all the information in the security event log.
To track file deletion you would enable:
Create files/Write data Success/Fail
Create folders / append data Success/Fail
Delete Subfolders/Files Success/Fail
Delete Suceess/Fail
Once thats done Windows will log all the information in the security event log.
ASKER
Thank you Leew. The post was very helpful. How do I tighten up the security logs so I only get the File system logs and nothing else?
ASKER
Also, which permission do I have to deny if someone wants to move a folder into another folder?
Sorry, but I am newe at this.
Thanks
Sorry, but I am newe at this.
Thanks
If you don't want them to move folders you just give them read privileges.
ASKER
My mistake. I also want them to be able to creat folders and files within the folder. I am denying the DELETE option but no mention of a move. Is that the same as Delete?
ASKER
I've requested that this question be deleted for the following reason:
None of the answers were helpful and don't think AD is able to do this request
None of the answers were helpful and don't think AD is able to do this request
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, you are correct. We did try it and assumed it would help as we started to get all in all audit info. But in the end could not give me info for user. Apparently there is no auditing for just a move or rename of folders. Thanks anyhow