Improve company productivity with a Business Account.Sign Up

x
?
Solved

Which event ID do I trap for file / folder deletions in Windows 2008  (not R2)

Posted on 2013-12-13
5
Medium Priority
?
7,243 Views
Last Modified: 2014-01-08
I need to trap for when a file or folder is deleted on a Windows 2008 server (not R2).
I turned on auditing for file and folder deletions.  I started to trap on event id 4663, but 4663 is also used for renaming and saving the file. The events for a rename and deletion are the same, so I can't use this for a trap.

 I need an event id that is only used for a file / folder deletion so I can trap it for an alert.

Thank You
0
Comment
Question by:jalenk
  • 2
  • 2
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 39718005
You can't 'trap' this - - a trap suggests that you can intercept and prevent the action.

Neither can you audit a just a deletion in this way - delete, rename, create are all 'modifications' and share the same audit event - but you can filter the audit log - see http://sogeeky.blogspot.co.uk/2006/07/how-to-audit-and-track-file-deletions.html
0
 

Author Comment

by:jalenk
ID: 39718029
I don't have Event ID 560 in my security log.  I'm using SCOM to pick out the event and alert on it. But, I need a unique event that only fires when a file / foler is deleted.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39718134
Have you also enabled both the auditing of object access (in group policy), and at the folder level?
0
 

Author Comment

by:jalenk
ID: 39721958
Yes i have applied the auditing of object access at the folder and file level. I did some research and Event ID 560 was under in Windows 2003 & early. We have Windows 2008 (not R2)
0
 
LVL 3

Accepted Solution

by:
Detlef001 earned 1500 total points
ID: 39726445
You first will need to turn on auditing, from either local policies, or domain policies and apply it to the machine you want to audit. Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.
GPEDIT:
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access
You can turn on success, because if they don't have access to delete things then it would create a failure, so you dont want to monitor those events.
Once that is in place, go to the folder you want to monitor, right click and go to properties
Click the security tab --> Advanced --> Auditing Tab --> Edit --> Add --> then add the group that has access to that folder --> Select the events you want to audit and click OK --> Select Replace all existing inheritable audit entries, to appply the audit on all sub folders and files and click OK

I believe security, look for even ID's 4663 and 4656, those should log the deletion of an object. If not you may not have thigns configured properly

Moreover if you want more easy then you can go for an third party application also for the same.

Please use this application for files and folder monitoring.

Thanks.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question