Link to home
Create AccountLog in
Avatar of ibrahim52
ibrahim52Flag for United Arab Emirates

asked on

Windows Server 2008 Event Viewer

The question is really simple and short. I had a common folder shared between all the domain users, now today one of the file is missing in that shared folder and company would like to TRACE the user who did that, i spoke to some experts on phone and they said look in the event viewer, i couldn't find anything with the NAME of that FILE in the E.V, is there any other way around ?
Avatar of pjam
pjam
Flag of United States of America image

We have had the same issue.  I believe you have to have some kind of auditing turned on or installed but couldn't say what that is for sure.  Will be good to see what others have to say.
This kind of events is not recorded by default. You are not able to check the past. The only thing you can do it to record such events in the future.
Avatar of ibrahim52

ASKER

and the question is HOW
Avatar of Dave Lloyd
Enable file and folder auditing:
Go to Local Security Policy under administrative tools.
Navigate to Local Policies/Audit Policy
open Audit object access and enable success and failure.

This sets the *ability* to audit.  Now you need to enable it on the folders/file you want.
Right click the appropriate folder/file and go properties
Security tab
Advanced button
Auditing tab/Edit/Add
Select the appropriate security group (or Everyone group if you wish)
Select the specific events you wan to audit - in your example you want 'Delete subfolders and files' with the 'success' option
OK/apply as appropriate
Voilla

Note that auditing files and folders WILL create additional load on the server - use sparingly.
Alright, let me check because currently i am re-designing the whole FILE SHARING thing on my network and going to enable to audit policies. Thanks for your help.
Disorganise,
Once that is set up how do you find what you want in Security Event Viewer?
Sorry to but in again, but I believe ibrahim52 will have the same question once he turns his on.

I set mine up last week and thought I would see what I could find so searched for delete and all I found was SAM stuff.
Searched Microsoft Windows 2008 home site and found stuff on W2000 & NT$.  :(
ASKER CERTIFIED SOLUTION
Avatar of Dave Lloyd
Dave Lloyd
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thanks Disorganise,
ibrahim52 and I owe you one.
Have a great day
I have to say sorry again after accepting solutions to every question i start the reason is because i can't give more of my time to try out the suggestions instantly and it takes me around 2-3 weeks to spare time and start fixing the issue using experts suggested solution. Thank you.