Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 324
  • Last Modified:

Move\Store deleted files & log user

Hi

We have an issue where a member of an organisation is under suspected to be deleting files, what we really need to do is:

A) Be able to prove that this person is deleting files so require some sort of logging

B) Have any files that are deleted moved to another folder instead of their default location (Instead of the recycle bin etc.)

Is there a way to do this?

I understand that we can enable auditing but is changing the location that deleted files go to possible?
0
diles
Asked:
diles
  • 5
  • 5
2 Solutions
 
Dirk MareSystems Engineer (Acting IT Manager)Commented:
Enable auditing is all the proof you will need. Unfortunately I am not aware of how to change the location of Deleted files and folders.

Have you considered using VSS and Previous Versions?
http://technet.microsoft.com/en-us/magazine/dd637757.aspx
http://technet.microsoft.com/en-us/library/cc771305.aspx

DirkMare
0
 
michaelalphiCommented:
I find this earlier discussed thread helpful for you which is resolved with the same concern.
Or, follow the steps below :
Log on to a computer that keeps shared folder structure with administrative permissions,
click Start ¿ Run and launch gpedit.msc MMC console.
In a Computer configuration node, open Windows Settings ¿ Security Settings ¿ Local Policies ¿ Audit Policies folder
Double click on audit object access policy and select success check-box.
0
 
dilesAuthor Commented:
Thanks for the input but what we really require is to capture the deleted files into a "recycle Bin" The concern is that one of the staff may/has deleted files which should not have been deleted. The bigger issue is that staff may not even be aware of these files even exist as this person is top of the tree in the business. UNDELETE is a good program and has worked for customers in the passed but he would have to authorise this purchase. Not a good idea. So we need to do this on the "Cheap"
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Dirk MareSystems Engineer (Acting IT Manager)Commented:
As I said in my previous post there is no need for 3rd party software. Use Windows Shadow copies, set it to create snapshots every 25 min and when the need arises open up previous versions and restore the file.

DirkMare
0
 
dilesAuthor Commented:
We are well aware of Shadow copy but this does not help if we do not know what has been deleted. Further Shadow copy will not keep previous versions forever. The idea is to trap the deleted files so we can see what is going on with this guy. So we need a "poor mans" version of Undelete. Any idea's welcome.
0
 
Dirk MareSystems Engineer (Acting IT Manager)Commented:
create a xcopy script that will copy all the Files and Folders within a folder to another folder.

Go to Task Manager and schedule the script to run every 'x' min.

@ ECHO OFF
for /F "tokens=1,2,3 delims=/ " %%i in ("%date%") DO set tempdate=%%i%%j%%k
xcopy "Path"\Payroll\*.* "Path"\efs_System_Backup\Daily\%tempdate%\*.* /E /V /C

Open in new window


Like I said previously I don't know how to move deleted items to another folder, and as far as I know this will not be possible as the user is probably accessing the files via a share, and all shared files are permanently deleted, no Recycle Bin is used.

DirkMare
0
 
dilesAuthor Commented:
Strangely enough I had already done this but was still hoping for a "Recycle Bin" type solution. Scrolling thought logs looking for deleted files is time consuming and painful. Just looking for an easy life.
0
 
Dirk MareSystems Engineer (Acting IT Manager)Commented:
You can setup Event Log Subscriptions that will email you in the event that a file is deleted..

Why dont you just explicitly deny the user the right to delete files and folders?

DirkMare
0
 
dilesAuthor Commented:
Could do this but he is the CEO (going rouge) oppssssss.
0
 
Dirk MareSystems Engineer (Acting IT Manager)Commented:
Seems like you are in n bit of a spot. Having something that is a couple of minutes old is better than having nothing.

You can play the naive game and say you dont know whats going on and you will investigate. And seeing that he is doing this on purpose i doubt he will be knocking on your door asking you what's going on.

DirkMare
0
 
dilesAuthor Commented:
Its all a bit political, without giving anything away he could well be on his way to the dole queue but for now we have to act like all is well. He has caused some serious issues over the last few months and managed to talk to Board in to keeping him. Not everyone is aware of the issues and we are talking to "seconds" in command for now. They don't want to invest in purchase of software as this will alert him. As usual IT have to put up with all of this. I may install a trial of Undelete for now hoping it resolves is self in the mean time.

Thanks everyone for your input.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now