Steven Hoong
asked on
Check to see who deleted a folder
Someone deleted a folder off our shared system. I want to see who it is. I do have auditing turned on but when I go to the event, I only see a general description
audit.jpg
audit.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with masnrock, you first need to turn on auditing from either local policies or domain policies and apply it to the machine you want to audit.
Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.
GPEDIT:
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access
You can turn on success and then it would create a failure, so you dont want to monitor those events.
Here are more reference for doing this
http://www.monitorware.com/common/en/articles/audit_file_deletion.php
http://www.poweradmin.com/file-sight/
https://www.netfort.com/languardian/solutions/file-activity-monitoring/
https://www.netwrix.com/how_to_detect_who_deleted_file.html
Hope it help
Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.
GPEDIT:
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access
You can turn on success and then it would create a failure, so you dont want to monitor those events.
Here are more reference for doing this
http://www.monitorware.com/common/en/articles/audit_file_deletion.php
http://www.poweradmin.com/file-sight/
https://www.netfort.com/languardian/solutions/file-activity-monitoring/
https://www.netwrix.com/how_to_detect_who_deleted_file.html
Hope it help
Go through the article, there are other GP you need enable, after enabling those you can install DFSR and create a report to send a mail notification.
https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/
https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/
Check the below article to get in detailed description of the procedure for tracking file deletions on Windows File Servers: https://www.lepide.com/how-to/track-file-deletions-and-permission-changes-on-file-servers.html