Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do you turn on file auditing on a server in a domain?

Posted on 2012-03-21
7
Medium Priority
?
156 Views
Last Modified: 2012-06-21
I been having a problem of people deleting files. Where people go, I have no idea what happened. I need to setup auditing so I can see who deletes the files on the server. I had it set at one point but all it generated was Event ID 560's and did not tell me who and what file..
0
Comment
Question by:Joeteck
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 42

Expert Comment

by:Adam Brown
ID: 37749618
For file system auditing, you have to configure the level of auditing for Object Access in Group Policy to enabled on the server as well as configuring auditing on the drives themselves. You can do this in a GPO by adding the Drive you want in Computer Configuration\Windows Settings\Security Settings\File System. When the permissions screen shows up, go to Advanced, then the auditing tab and set the level of auditing you want to perform in there. I recommend against auditing success on reads. To keep track of when stuff is deleted, set Delete to audit success and failure.
0
 

Expert Comment

by:Elohir
ID: 37749630
You need to Enable "Audit Object Access" in Group Policy or Local Security Policy, under "Local Policies -> Audit Policy" and then you will be able to configure file auditing in the Audit tab.  But be careful, as this can put a very heavy load on a file server.  Keep a close eye on your performance if you do this.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 37749646
Also note that object deleted events will report an event ID of 564. Enabling file system auditing will result in a *lot* of generated events, so you'll have a lot of stuff to dig through. The events generated will also occasionally be a result of programs being opened and closed, as some programs will create and delete files when they operate. It's usually a good idea to only turn on file system auditing on a limited number of directories on the computer, like a shared folder, so you don't get as many false positives.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 4

Author Comment

by:Joeteck
ID: 37749821
Event ID 564 is pretty much useless. I'm more interested in generating event ID 4663, and reading that from my third party program... I will have it reading my security log waiting for Event ID 4663, which is much more useful... Once I find out how to generate this Event ID, I'm golden!
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 37749856
That event ID is only generated in Vista, 7, and Windows 2008. If you're monitoring a Windows 2003 server, it will never come up.
0
 
LVL 4

Author Comment

by:Joeteck
ID: 37752113
So, what you're saying is that I need a third party program that can do this?
0
 
LVL 4

Accepted Solution

by:
JustMy2Cents earned 2000 total points
ID: 37753446
FileAudit (http://www.isdecisions.com/products/fileaudit/) would come handy here Joeteck, as this software solution monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Microsoft Windows systems.

Plus, FileAudit will enable "Audit Object Access" for you and will configure the NTFS audit as well.

You can download a free, fully-functional trial from here:
http://www.isdecisions.com/download/fileaudit.htm
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Learn about cloud computing and its benefits for small business owners.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question