How do you turn on file auditing on a server in a domain?

I been having a problem of people deleting files. Where people go, I have no idea what happened. I need to setup auditing so I can see who deletes the files on the server. I had it set at one point but all it generated was Event ID 560's and did not tell me who and what file..
LVL 4
JoeteckAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
JustMy2CentsConnect With a Mentor Commented:
FileAudit (http://www.isdecisions.com/products/fileaudit/) would come handy here Joeteck, as this software solution monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Microsoft Windows systems.

Plus, FileAudit will enable "Audit Object Access" for you and will configure the NTFS audit as well.

You can download a free, fully-functional trial from here:
http://www.isdecisions.com/download/fileaudit.htm
0
 
Adam BrownSr Solutions ArchitectCommented:
For file system auditing, you have to configure the level of auditing for Object Access in Group Policy to enabled on the server as well as configuring auditing on the drives themselves. You can do this in a GPO by adding the Drive you want in Computer Configuration\Windows Settings\Security Settings\File System. When the permissions screen shows up, go to Advanced, then the auditing tab and set the level of auditing you want to perform in there. I recommend against auditing success on reads. To keep track of when stuff is deleted, set Delete to audit success and failure.
0
 
ElohirCommented:
You need to Enable "Audit Object Access" in Group Policy or Local Security Policy, under "Local Policies -> Audit Policy" and then you will be able to configure file auditing in the Audit tab.  But be careful, as this can put a very heavy load on a file server.  Keep a close eye on your performance if you do this.
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
Adam BrownSr Solutions ArchitectCommented:
Also note that object deleted events will report an event ID of 564. Enabling file system auditing will result in a *lot* of generated events, so you'll have a lot of stuff to dig through. The events generated will also occasionally be a result of programs being opened and closed, as some programs will create and delete files when they operate. It's usually a good idea to only turn on file system auditing on a limited number of directories on the computer, like a shared folder, so you don't get as many false positives.
0
 
JoeteckAuthor Commented:
Event ID 564 is pretty much useless. I'm more interested in generating event ID 4663, and reading that from my third party program... I will have it reading my security log waiting for Event ID 4663, which is much more useful... Once I find out how to generate this Event ID, I'm golden!
0
 
Adam BrownSr Solutions ArchitectCommented:
That event ID is only generated in Vista, 7, and Windows 2008. If you're monitoring a Windows 2003 server, it will never come up.
0
 
JoeteckAuthor Commented:
So, what you're saying is that I need a third party program that can do this?
0
All Courses

From novice to tech pro — start learning today.