• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 209
  • Last Modified:

who deleted folder?

Two months ago, I heard that one of our staff that was deleting some files from our network and I would like to go back to see if it's true that the particular individual did deleted it. I can g to the Security Event Log but it only logs the most recent events. So how can I go back two months ago and see it? Any suggestiions?
0
dcanuday
Asked:
dcanuday
  • 2
2 Solutions
 
JBond2010Commented:
I don't think you can. What you need to do is configure Auditing of the Shared Folder or Folders. If you do not have Auditing configured then there would be no way of knowing. Refer to the link below and this will explain how to configure Auditing.

http://www.petri.co.il/forums/showthread.php?t=5422
0
 
JBond2010Commented:
So what you need to do is in Group Policy create a new GPO and give this GPO a discriptive name such as 'Auditing Folder Deletion'. Edit this GPO and go to > Computer Configuration > Windows Settings > Security Settings > Local Policies > Click on Audit Policy > rigth click on Audit Object Access and tick Define these policy settings and also tick Sucess and Failure.

You can then link this GPO to the Site, Domain or OU. The next step is to enable Auditing on the folder. So close Group Policy and then in Windows Explorer or My Computer, right click on the Shared Folder, or Folder that you want to Audit and select Properties > Security > Advanced > Auditing > Add the Group you want to Audit. You can add the Everyone Group so you can Audit all users in your Domain and all other accounts that would not be apart of the Domain Users Group. The last part would be to select the entried you want to Audit such as Delete Subfolder and Files etc.

These log files will be generated in the Windows Security Logs on the Server in Event Viewer.
0
 
bbaoIT ConsultantCommented:
if you never enabled AUDIT and defined specific NTFS-based folders for AUDIT, you have NO way to know who deleted something.

however, do it now, next time you may see something when required.

HOW TO: Audit Active Directory Objects in Windows Server 2003
http://support.microsoft.com/kb/814595

hope it helps,
bbao
0
 
TolomirAdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now