How do you turn on file auditing on a server in a domain?

I been having a problem of people deleting files. Where people go, I have no idea what happened. I need to setup auditing so I can see who deletes the files on the server. I had it set at one point but all it generated was Event ID 560's and did not tell me who and what file..
LVL 4
JoeteckAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
For file system auditing, you have to configure the level of auditing for Object Access in Group Policy to enabled on the server as well as configuring auditing on the drives themselves. You can do this in a GPO by adding the Drive you want in Computer Configuration\Windows Settings\Security Settings\File System. When the permissions screen shows up, go to Advanced, then the auditing tab and set the level of auditing you want to perform in there. I recommend against auditing success on reads. To keep track of when stuff is deleted, set Delete to audit success and failure.
0
ElohirCommented:
You need to Enable "Audit Object Access" in Group Policy or Local Security Policy, under "Local Policies -> Audit Policy" and then you will be able to configure file auditing in the Audit tab.  But be careful, as this can put a very heavy load on a file server.  Keep a close eye on your performance if you do this.
0
Adam BrownSr Solutions ArchitectCommented:
Also note that object deleted events will report an event ID of 564. Enabling file system auditing will result in a *lot* of generated events, so you'll have a lot of stuff to dig through. The events generated will also occasionally be a result of programs being opened and closed, as some programs will create and delete files when they operate. It's usually a good idea to only turn on file system auditing on a limited number of directories on the computer, like a shared folder, so you don't get as many false positives.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

JoeteckAuthor Commented:
Event ID 564 is pretty much useless. I'm more interested in generating event ID 4663, and reading that from my third party program... I will have it reading my security log waiting for Event ID 4663, which is much more useful... Once I find out how to generate this Event ID, I'm golden!
0
Adam BrownSr Solutions ArchitectCommented:
That event ID is only generated in Vista, 7, and Windows 2008. If you're monitoring a Windows 2003 server, it will never come up.
0
JoeteckAuthor Commented:
So, what you're saying is that I need a third party program that can do this?
0
JustMy2CentsCommented:
FileAudit (http://www.isdecisions.com/products/fileaudit/) would come handy here Joeteck, as this software solution monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Microsoft Windows systems.

Plus, FileAudit will enable "Audit Object Access" for you and will configure the NTFS audit as well.

You can download a free, fully-functional trial from here:
http://www.isdecisions.com/download/fileaudit.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.