Hello
Can anyone help , I have searched and not found to much info on being able to monitor who has deleted or moved a file/folder on a shared drive on our network. We are using server 2003. Anyone know how to find out this information or any software that we could install ?
Turn on auditing on the filesystem for the folder above the one which is being moved (eg if on the server you have d:\groups\maths, d:\groups\science etc then I think you want to monitor d:\groups). You also need to turn on auditing in the local security settings of the server.
When you do this, an event will be written to the security event log of the server but if this is a busy server you could be swamped in data.
Thanks It is a busy server, I have set up the audit for the folder that i wanted to monitor when i log into event viewer though it does not really tell me what has been moved or deleted just that it has been accessed. any ideas ?
When you turn on auditing on the file system you will get a *lot* of info; I think you're looking for event 562 for delete (see sample below from my event log) and you can filter on this.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 07/07/2008
Time: 17:15:17
User: CISNT\1973
Computer: PC051208
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\temp\trans\Translator.sa.CAB
Handle ID: 3576
Operation ID: {0,12812947}
Process ID: 2788
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: 1973
Primary Domain: CISNT
Primary Logon ID: (0x0,0x6C227)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote