Solved

How can I audit a file being deleted by a domain user?

Posted on 2011-09-25
3
170 Views
Last Modified: 2012-05-12
Is there any methods that I can audit files in the Win03 Srv environment that can have
history to let me know which users delete which files on the server,
as I discover that some files that shared by a user group, and sometimes there will have
some file missing suddenly, how can I check out exactly who deleted the files?
is the Win03 server include the audit fucntion? if yes how to enable it?
if not is there any 3 party freeware can do te same function? thanks.
0
Comment
Question by:SamuelLam1997
  • 2
3 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36597322
Yes, it's possible. You need to enable Objects Auditing ona File Server. How to do that is really good described in MS article at
http://support.microsoft.com/kb/814595

Remember, do not enable to much audits because logs (event logs) would be difficult to analyze.

Regards,
Krzysztof
0
 
LVL 8

Accepted Solution

by:
vinsvin earned 500 total points
ID: 36597443
HOW TO: Audit Active Directory Objects in Windows Server 2003

Configure an Audit Policy Setting for a Domain Controller
By default, auditing is turned off. For domain controllers, an audit policy setting is configured for all domain controllers in the domain. To audit events that occur on domain controllers, configure an audit policy setting that applies to all domain controllers in a non-local Group Policy object (GPO) for the domain. You can access this policy setting through the Domain Controllers organizational unit. To audit user access to Active Directory objects, configure the Audit Directory Service Access event category in the audit policy setting.

NOTES
You must grant the Manage Auditing And Security Log user right to the computer where you want to either configure an audit policy setting or review an audit log. By default, Windows Server 2003 grants these rights to the Administrators group.
The files and folders that you want to audit must be on Microsoft Windows NT file system (NTFS) volumes.
To configure an audit policy setting for a domain controller:
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
On the View menu, click Advanced Features.
Right-click Domain Controllers, and then click Properties.
Click the Group Policy tab, click Default Domain Controller Policy, and then click Edit.
Click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
In the right pane, right-click Audit Directory Services Access, and then click Properties.
Click Define These Policy Settings, and then click to select one or both of the following check boxes:
Success: Click to select this check box to audit successful attempts for the event category.
Failure: Click to select this check box to audit failed attempts for the event category.
Right-click any other event category that you want to audit, and then click Properties.
Click OK.
Because the changes that you make to your computer's audit policy setting take effect only when the policy setting is propagated or applied to your computer, complete either of the following steps to initiate policy propagation:
Type gpupdate /Target:computer at the command prompt, and then press ENTER.
Wait for automatic policy propagation that occurs at regular intervals that you can configure. By default, policy propagation occurs every five minutes.
Open the Security log to view logged events.

Note If you are either a domain or an enterprise administrator, you can enable security auditing for workstations, member servers, and domain controllers remotely.

Configure Auditing for Specific Active Directory Objects
After you configure an audit policy setting, you can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit. To configure auditing for specific Active Directory objects:
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Make sure that Advanced Features is selected on the View menu by making sure that the command has a check mark next to it.
Right-click the Active Directory object that you want to audit, and then click Properties.
Click the Security tab, and then click Advanced.
Click the Auditing tab, and then click Add.
Complete one of the following:
Type the name of either the user or the group whose access you want to audit in the Enter the object name to select box, and then click OK.
In the list of names, double-click either the user or the group whose access you want to audit.
Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK.
Click OK, and then click OK.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36715707
Does this solution work for you or you need further assistance?

Krzysztof
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Learn about cloud computing and its benefits for small business owners.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now