Solved

How do you turn on file auditing on a server in a domain?

Posted on 2012-03-21
7
149 Views
Last Modified: 2012-06-21
I been having a problem of people deleting files. Where people go, I have no idea what happened. I need to setup auditing so I can see who deletes the files on the server. I had it set at one point but all it generated was Event ID 560's and did not tell me who and what file..
0
Comment
Question by:Joeteck
7 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37749618
For file system auditing, you have to configure the level of auditing for Object Access in Group Policy to enabled on the server as well as configuring auditing on the drives themselves. You can do this in a GPO by adding the Drive you want in Computer Configuration\Windows Settings\Security Settings\File System. When the permissions screen shows up, go to Advanced, then the auditing tab and set the level of auditing you want to perform in there. I recommend against auditing success on reads. To keep track of when stuff is deleted, set Delete to audit success and failure.
0
 

Expert Comment

by:Elohir
ID: 37749630
You need to Enable "Audit Object Access" in Group Policy or Local Security Policy, under "Local Policies -> Audit Policy" and then you will be able to configure file auditing in the Audit tab.  But be careful, as this can put a very heavy load on a file server.  Keep a close eye on your performance if you do this.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37749646
Also note that object deleted events will report an event ID of 564. Enabling file system auditing will result in a *lot* of generated events, so you'll have a lot of stuff to dig through. The events generated will also occasionally be a result of programs being opened and closed, as some programs will create and delete files when they operate. It's usually a good idea to only turn on file system auditing on a limited number of directories on the computer, like a shared folder, so you don't get as many false positives.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 4

Author Comment

by:Joeteck
ID: 37749821
Event ID 564 is pretty much useless. I'm more interested in generating event ID 4663, and reading that from my third party program... I will have it reading my security log waiting for Event ID 4663, which is much more useful... Once I find out how to generate this Event ID, I'm golden!
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37749856
That event ID is only generated in Vista, 7, and Windows 2008. If you're monitoring a Windows 2003 server, it will never come up.
0
 
LVL 4

Author Comment

by:Joeteck
ID: 37752113
So, what you're saying is that I need a third party program that can do this?
0
 
LVL 4

Accepted Solution

by:
JustMy2Cents earned 500 total points
ID: 37753446
FileAudit (http://www.isdecisions.com/products/fileaudit/) would come handy here Joeteck, as this software solution monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Microsoft Windows systems.

Plus, FileAudit will enable "Audit Object Access" for you and will configure the NTFS audit as well.

You can download a free, fully-functional trial from here:
http://www.isdecisions.com/download/fileaudit.htm
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now