ibrahim52
asked on
Windows Server 2008 Event Viewer
The question is really simple and short. I had a common folder shared between all the domain users, now today one of the file is missing in that shared folder and company would like to TRACE the user who did that, i spoke to some experts on phone and they said look in the event viewer, i couldn't find anything with the NAME of that FILE in the E.V, is there any other way around ?
We have had the same issue. I believe you have to have some kind of auditing turned on or installed but couldn't say what that is for sure. Will be good to see what others have to say.
This kind of events is not recorded by default. You are not able to check the past. The only thing you can do it to record such events in the future.
ASKER
and the question is HOW
Enable file and folder auditing:
Go to Local Security Policy under administrative tools.
Navigate to Local Policies/Audit Policy
open Audit object access and enable success and failure.
This sets the *ability* to audit. Now you need to enable it on the folders/file you want.
Right click the appropriate folder/file and go properties
Security tab
Advanced button
Auditing tab/Edit/Add
Select the appropriate security group (or Everyone group if you wish)
Select the specific events you wan to audit - in your example you want 'Delete subfolders and files' with the 'success' option
OK/apply as appropriate
Voilla
Note that auditing files and folders WILL create additional load on the server - use sparingly.
Go to Local Security Policy under administrative tools.
Navigate to Local Policies/Audit Policy
open Audit object access and enable success and failure.
This sets the *ability* to audit. Now you need to enable it on the folders/file you want.
Right click the appropriate folder/file and go properties
Security tab
Advanced button
Auditing tab/Edit/Add
Select the appropriate security group (or Everyone group if you wish)
Select the specific events you wan to audit - in your example you want 'Delete subfolders and files' with the 'success' option
OK/apply as appropriate
Voilla
Note that auditing files and folders WILL create additional load on the server - use sparingly.
ASKER
Alright, let me check because currently i am re-designing the whole FILE SHARING thing on my network and going to enable to audit policies. Thanks for your help.
Disorganise,
Once that is set up how do you find what you want in Security Event Viewer?
Sorry to but in again, but I believe ibrahim52 will have the same question once he turns his on.
I set mine up last week and thought I would see what I could find so searched for delete and all I found was SAM stuff.
Searched Microsoft Windows 2008 home site and found stuff on W2000 & NT$. :(
Once that is set up how do you find what you want in Security Event Viewer?
Sorry to but in again, but I believe ibrahim52 will have the same question once he turns his on.
I set mine up last week and thought I would see what I could find so searched for delete and all I found was SAM stuff.
Searched Microsoft Windows 2008 home site and found stuff on W2000 & NT$. :(
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Thanks Disorganise,
ibrahim52 and I owe you one.
Have a great day
ibrahim52 and I owe you one.
Have a great day
ASKER
I have to say sorry again after accepting solutions to every question i start the reason is because i can't give more of my time to try out the suggestions instantly and it takes me around 2-3 weeks to spare time and start fixing the issue using experts suggested solution. Thank you.