Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Is there a realistic way to log file share activity on Win 2008 server?

Posted on 2011-09-14
3
Medium Priority
?
356 Views
Last Modified: 2012-05-12
We have had a few instances of folders on shares being deleted, and no one (obviously) admits to be doing it...  A few days ago, the entire contents of a folder was deleted, but not the folder itself.  I have seen plenty of times when a user accidentally drags a folder into an ajacent folder.  But now we are spending too much time restoring large folders from tape, so I'd like to identify who is doing it, and have a "chat" with them.

We have a modest amount of file usage during a day, our nighly incremental backups are upwards of 12 gigs.  I inagine these logs would get pretty big, that and never having the need to do so, has never needed me to look at this, until now.  I'd really only want to see deletions and moves I think...

It's a single Windows 2008 file server in a single AD domain.  The share is open to the "everyone" group.

If this were you, how would you go about tracking down the "culprit"?
0
Comment
Question by:mchad65
  • 2
3 Comments
 
LVL 17

Expert Comment

by:pjam
ID: 36538958
You can purchase software to track it or you can try turning on the Audit feature.
I have mine turned on for that reason, but it is too early to tell who is deleting files.
Here is a link to explain how to turn it on:
http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx
0
 

Author Comment

by:mchad65
ID: 36543156
The build in auditing is unmanagable and vague.  It seems to create multiple log entries for a single file read access.  The log filled up in less then 30 seconds after turning it on.  That, and it doesn't seem to capture deletes, which is want I really need.  

Any recommendations on a 3rd party solution?
0
 
LVL 17

Accepted Solution

by:
pjam earned 2000 total points
ID: 36543206
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question