audit actions on windows server 2012

Hello,

I search to know if it's possible to extract an audit from event logs windows if the properties of log are default and owerwrite.

Someone are deleted files on a server and drop the recycle bin and I have to found this in the logs.

Thanks

Regards
bibi92Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
if those events were set to be captured and you are quick enough to save the audit log and then you can view at your leisure.
0
bibi92Author Commented:
No I do  not see auditing on the files and windows application is overwritte over than 20 mo. Is it possible to find trace  without windows logs. I think that a local user has been created and renamed for doing opérations.
0
David Johnson, CD, MVPOwnerCommented:
you must first set which items to audit and then you can review those items in the audit logs you cannot do it after the fact.

If a user has access to create a local user then you have much more security concerns. These files should have been on a server and servers should limit physical access to them.. If a user has physical access then all bets are off.  

Without these audit logs you will have no proof of who deleted these files.. and someone that gains admin access can delete the audit logs.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bibi92Author Commented:
Hello,

Can I find these informations in security log?

Thanks
0
David Johnson, CD, MVPOwnerCommented:
only after you've configured the security auditing setting for events from now on.. you cannot go into the past and get information on something that has not already been recorded.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.