Solved

Move\Store deleted files & log user

Posted on 2014-03-24
11
317 Views
Last Modified: 2014-03-26
Hi

We have an issue where a member of an organisation is under suspected to be deleting files, what we really need to do is:

A) Be able to prove that this person is deleting files so require some sort of logging

B) Have any files that are deleted moved to another folder instead of their default location (Instead of the recycle bin etc.)

Is there a way to do this?

I understand that we can enable auditing but is changing the location that deleted files go to possible?
0
Comment
Question by:diles
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39950500
Enable auditing is all the proof you will need. Unfortunately I am not aware of how to change the location of Deleted files and folders.

Have you considered using VSS and Previous Versions?
http://technet.microsoft.com/en-us/magazine/dd637757.aspx
http://technet.microsoft.com/en-us/library/cc771305.aspx

DirkMare
0
 
LVL 4

Accepted Solution

by:
michaelalphi earned 250 total points
ID: 39955442
I find this earlier discussed thread helpful for you which is resolved with the same concern.
Or, follow the steps below :
Log on to a computer that keeps shared folder structure with administrative permissions,
click Start ¿ Run and launch gpedit.msc MMC console.
In a Computer configuration node, open Windows Settings ¿ Security Settings ¿ Local Policies ¿ Audit Policies folder
Double click on audit object access policy and select success check-box.
0
 

Author Comment

by:diles
ID: 39955512
Thanks for the input but what we really require is to capture the deleted files into a "recycle Bin" The concern is that one of the staff may/has deleted files which should not have been deleted. The bigger issue is that staff may not even be aware of these files even exist as this person is top of the tree in the business. UNDELETE is a good program and has worked for customers in the passed but he would have to authorise this purchase. Not a good idea. So we need to do this on the "Cheap"
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39955524
As I said in my previous post there is no need for 3rd party software. Use Windows Shadow copies, set it to create snapshots every 25 min and when the need arises open up previous versions and restore the file.

DirkMare
0
 

Author Comment

by:diles
ID: 39955831
We are well aware of Shadow copy but this does not help if we do not know what has been deleted. Further Shadow copy will not keep previous versions forever. The idea is to trap the deleted files so we can see what is going on with this guy. So we need a "poor mans" version of Undelete. Any idea's welcome.
0
 
LVL 16

Assisted Solution

by:Dirk Mare
Dirk Mare earned 250 total points
ID: 39955871
create a xcopy script that will copy all the Files and Folders within a folder to another folder.

Go to Task Manager and schedule the script to run every 'x' min.

@ ECHO OFF
for /F "tokens=1,2,3 delims=/ " %%i in ("%date%") DO set tempdate=%%i%%j%%k
xcopy "Path"\Payroll\*.* "Path"\efs_System_Backup\Daily\%tempdate%\*.* /E /V /C

Open in new window


Like I said previously I don't know how to move deleted items to another folder, and as far as I know this will not be possible as the user is probably accessing the files via a share, and all shared files are permanently deleted, no Recycle Bin is used.

DirkMare
0
 

Author Comment

by:diles
ID: 39955884
Strangely enough I had already done this but was still hoping for a "Recycle Bin" type solution. Scrolling thought logs looking for deleted files is time consuming and painful. Just looking for an easy life.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39955916
You can setup Event Log Subscriptions that will email you in the event that a file is deleted..

Why dont you just explicitly deny the user the right to delete files and folders?

DirkMare
0
 

Author Comment

by:diles
ID: 39955944
Could do this but he is the CEO (going rouge) oppssssss.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39955972
Seems like you are in n bit of a spot. Having something that is a couple of minutes old is better than having nothing.

You can play the naive game and say you dont know whats going on and you will investigate. And seeing that he is doing this on purpose i doubt he will be knocking on your door asking you what's going on.

DirkMare
0
 

Author Comment

by:diles
ID: 39956006
Its all a bit political, without giving anything away he could well be on his way to the dole queue but for now we have to act like all is well. He has caused some serious issues over the last few months and managed to talk to Board in to keeping him. Not everyone is aware of the issues and we are talking to "seconds" in command for now. They don't want to invest in purchase of software as this will alert him. As usual IT have to put up with all of this. I may install a trial of Undelete for now hoping it resolves is self in the mean time.

Thanks everyone for your input.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A procedure for exporting installed hotfix details of remote computers using powershell
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question