Auditing file deletion on a server

By cartera
Aug 23, 2011
Post New Reply
  1. Hello peeps,

    To prevent reading the blurb below, any ideas on how to monitor on a server file deletion/ movement. This is in a domain environment and needs to be able to log the user which made the change.

    If your feeling more adventurous below is what i tried!

    On our servers we have a problem that folders are moving and disappearing from a particular file. It is one member of an active directory group we believe that is deliberately or unknowingly deleting the files.
    Currently I am running watch 4 folder to log when a file is changed or deleted (this allows me to know the exact time and name of the folder which is been deleted). I am also trying to use auditing policies within windows server 2003 to log this also so i know the user which has deleted the file.

    Watch 4 folder gives me a time to cross reference with event viewer to save me searching through the last 100,000 events in the security log.

    The auditing policy does not work and i have hit a brick wall on reasons why.
    I created the policy by on the server going to the folder i wish to monitor and going to properties. In properties selecting the security tab selecting the advanced button and then selecting auditing tab.
    Under this tab i created the policy so i went add - and set the object name as the possible offenders group policy group. I then applied it to 'this folder, subfolders and files' and then selected all possible access options in successfull and failed.

    This as far as i am aware this should work but it would seem not from testing!

    Any info, corrections or ideas would be greatly appreciated!


  2. jobeard

    jobeard TS Ambassador Posts: 9,151   +598

    add the <everyone> group and Audit [x] delete, [x] change perms
  3. cartera

    cartera TS Addict Topic Starter Posts: 276   +67

    I have tried that also and still the log's are not showing up!
  4. jobeard

    jobeard TS Ambassador Posts: 9,151   +598

    attached is how I got my audit configured and a sample of the Events log it creates

    Attached Files:

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...