Solved

audit actions on windows server 2012

Posted on 2014-10-02
5
152 Views
Last Modified: 2014-10-04
Hello,

I search to know if it's possible to extract an audit from event logs windows if the properties of log are default and owerwrite.

Someone are deleted files on a server and drop the recycle bin and I have to found this in the logs.

Thanks

Regards
0
Comment
Question by:bibi92
  • 3
  • 2
5 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40357532
if those events were set to be captured and you are quick enough to save the audit log and then you can view at your leisure.
0
 

Author Comment

by:bibi92
ID: 40357696
No I do  not see auditing on the files and windows application is overwritte over than 20 mo. Is it possible to find trace  without windows logs. I think that a local user has been created and renamed for doing opérations.
0
 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40357812
you must first set which items to audit and then you can review those items in the audit logs you cannot do it after the fact.

If a user has access to create a local user then you have much more security concerns. These files should have been on a server and servers should limit physical access to them.. If a user has physical access then all bets are off.  

Without these audit logs you will have no proof of who deleted these files.. and someone that gains admin access can delete the audit logs.
0
 

Author Comment

by:bibi92
ID: 40358714
Hello,

Can I find these informations in security log?

Thanks
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40361468
only after you've configured the security auditing setting for events from now on.. you cannot go into the past and get information on something that has not already been recorded.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my previous 24 VMware Articles (http://www.experts-exchange.com/ARTH_1864316.html?arthOrderBy=3&arthSort=1#arth), most featured Intermediate VMware Topics. My next series of articles concentrated on topics for the VMware Novice;   If you would…
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question