Solved

How do you turn on file auditing on a server in a domain?

Posted on 2012-03-21
7
147 Views
Last Modified: 2012-06-21
I been having a problem of people deleting files. Where people go, I have no idea what happened. I need to setup auditing so I can see who deletes the files on the server. I had it set at one point but all it generated was Event ID 560's and did not tell me who and what file..
0
Comment
Question by:Joeteck
7 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37749618
For file system auditing, you have to configure the level of auditing for Object Access in Group Policy to enabled on the server as well as configuring auditing on the drives themselves. You can do this in a GPO by adding the Drive you want in Computer Configuration\Windows Settings\Security Settings\File System. When the permissions screen shows up, go to Advanced, then the auditing tab and set the level of auditing you want to perform in there. I recommend against auditing success on reads. To keep track of when stuff is deleted, set Delete to audit success and failure.
0
 

Expert Comment

by:Elohir
ID: 37749630
You need to Enable "Audit Object Access" in Group Policy or Local Security Policy, under "Local Policies -> Audit Policy" and then you will be able to configure file auditing in the Audit tab.  But be careful, as this can put a very heavy load on a file server.  Keep a close eye on your performance if you do this.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37749646
Also note that object deleted events will report an event ID of 564. Enabling file system auditing will result in a *lot* of generated events, so you'll have a lot of stuff to dig through. The events generated will also occasionally be a result of programs being opened and closed, as some programs will create and delete files when they operate. It's usually a good idea to only turn on file system auditing on a limited number of directories on the computer, like a shared folder, so you don't get as many false positives.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 4

Author Comment

by:Joeteck
ID: 37749821
Event ID 564 is pretty much useless. I'm more interested in generating event ID 4663, and reading that from my third party program... I will have it reading my security log waiting for Event ID 4663, which is much more useful... Once I find out how to generate this Event ID, I'm golden!
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37749856
That event ID is only generated in Vista, 7, and Windows 2008. If you're monitoring a Windows 2003 server, it will never come up.
0
 
LVL 4

Author Comment

by:Joeteck
ID: 37752113
So, what you're saying is that I need a third party program that can do this?
0
 
LVL 4

Accepted Solution

by:
JustMy2Cents earned 500 total points
ID: 37753446
FileAudit (http://www.isdecisions.com/products/fileaudit/) would come handy here Joeteck, as this software solution monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Microsoft Windows systems.

Plus, FileAudit will enable "Audit Object Access" for you and will configure the NTFS audit as well.

You can download a free, fully-functional trial from here:
http://www.isdecisions.com/download/fileaudit.htm
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now