Solved

Move\Store deleted files & log user

Posted on 2014-03-24
11
320 Views
Last Modified: 2014-03-26
Hi

We have an issue where a member of an organisation is under suspected to be deleting files, what we really need to do is:

A) Be able to prove that this person is deleting files so require some sort of logging

B) Have any files that are deleted moved to another folder instead of their default location (Instead of the recycle bin etc.)

Is there a way to do this?

I understand that we can enable auditing but is changing the location that deleted files go to possible?
0
Comment
Question by:diles
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39950500
Enable auditing is all the proof you will need. Unfortunately I am not aware of how to change the location of Deleted files and folders.

Have you considered using VSS and Previous Versions?
http://technet.microsoft.com/en-us/magazine/dd637757.aspx
http://technet.microsoft.com/en-us/library/cc771305.aspx

DirkMare
0
 
LVL 4

Accepted Solution

by:
michaelalphi earned 250 total points
ID: 39955442
I find this earlier discussed thread helpful for you which is resolved with the same concern.
Or, follow the steps below :
Log on to a computer that keeps shared folder structure with administrative permissions,
click Start ¿ Run and launch gpedit.msc MMC console.
In a Computer configuration node, open Windows Settings ¿ Security Settings ¿ Local Policies ¿ Audit Policies folder
Double click on audit object access policy and select success check-box.
0
 

Author Comment

by:diles
ID: 39955512
Thanks for the input but what we really require is to capture the deleted files into a "recycle Bin" The concern is that one of the staff may/has deleted files which should not have been deleted. The bigger issue is that staff may not even be aware of these files even exist as this person is top of the tree in the business. UNDELETE is a good program and has worked for customers in the passed but he would have to authorise this purchase. Not a good idea. So we need to do this on the "Cheap"
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39955524
As I said in my previous post there is no need for 3rd party software. Use Windows Shadow copies, set it to create snapshots every 25 min and when the need arises open up previous versions and restore the file.

DirkMare
0
 

Author Comment

by:diles
ID: 39955831
We are well aware of Shadow copy but this does not help if we do not know what has been deleted. Further Shadow copy will not keep previous versions forever. The idea is to trap the deleted files so we can see what is going on with this guy. So we need a "poor mans" version of Undelete. Any idea's welcome.
0
 
LVL 16

Assisted Solution

by:Dirk Mare
Dirk Mare earned 250 total points
ID: 39955871
create a xcopy script that will copy all the Files and Folders within a folder to another folder.

Go to Task Manager and schedule the script to run every 'x' min.

@ ECHO OFF
for /F "tokens=1,2,3 delims=/ " %%i in ("%date%") DO set tempdate=%%i%%j%%k
xcopy "Path"\Payroll\*.* "Path"\efs_System_Backup\Daily\%tempdate%\*.* /E /V /C

Open in new window


Like I said previously I don't know how to move deleted items to another folder, and as far as I know this will not be possible as the user is probably accessing the files via a share, and all shared files are permanently deleted, no Recycle Bin is used.

DirkMare
0
 

Author Comment

by:diles
ID: 39955884
Strangely enough I had already done this but was still hoping for a "Recycle Bin" type solution. Scrolling thought logs looking for deleted files is time consuming and painful. Just looking for an easy life.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39955916
You can setup Event Log Subscriptions that will email you in the event that a file is deleted..

Why dont you just explicitly deny the user the right to delete files and folders?

DirkMare
0
 

Author Comment

by:diles
ID: 39955944
Could do this but he is the CEO (going rouge) oppssssss.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39955972
Seems like you are in n bit of a spot. Having something that is a couple of minutes old is better than having nothing.

You can play the naive game and say you dont know whats going on and you will investigate. And seeing that he is doing this on purpose i doubt he will be knocking on your door asking you what's going on.

DirkMare
0
 

Author Comment

by:diles
ID: 39956006
Its all a bit political, without giving anything away he could well be on his way to the dole queue but for now we have to act like all is well. He has caused some serious issues over the last few months and managed to talk to Board in to keeping him. Not everyone is aware of the issues and we are talking to "seconds" in command for now. They don't want to invest in purchase of software as this will alert him. As usual IT have to put up with all of this. I may install a trial of Undelete for now hoping it resolves is self in the mean time.

Thanks everyone for your input.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question