cartera
Posts: 379 +121
Hello peeps,
To prevent reading the blurb below, any ideas on how to monitor on a server file deletion/ movement. This is in a domain environment and needs to be able to log the user which made the change.
If your feeling more adventurous below is what i tried!
On our servers we have a problem that folders are moving and disappearing from a particular file. It is one member of an active directory group we believe that is deliberately or unknowingly deleting the files.
Currently I am running watch 4 folder to log when a file is changed or deleted (this allows me to know the exact time and name of the folder which is been deleted). I am also trying to use auditing policies within windows server 2003 to log this also so i know the user which has deleted the file.
Watch 4 folder gives me a time to cross reference with event viewer to save me searching through the last 100,000 events in the security log.
The auditing policy does not work and i have hit a brick wall on reasons why.
I created the policy by on the server going to the folder i wish to monitor and going to properties. In properties selecting the security tab selecting the advanced button and then selecting auditing tab.
Under this tab i created the policy so i went add - and set the object name as the possible offenders group policy group. I then applied it to 'this folder, subfolders and files' and then selected all possible access options in successfull and failed.
This as far as i am aware this should work but it would seem not from testing!
Any info, corrections or ideas would be greatly appreciated!
Regards,
Alastair
To prevent reading the blurb below, any ideas on how to monitor on a server file deletion/ movement. This is in a domain environment and needs to be able to log the user which made the change.
If your feeling more adventurous below is what i tried!
On our servers we have a problem that folders are moving and disappearing from a particular file. It is one member of an active directory group we believe that is deliberately or unknowingly deleting the files.
Currently I am running watch 4 folder to log when a file is changed or deleted (this allows me to know the exact time and name of the folder which is been deleted). I am also trying to use auditing policies within windows server 2003 to log this also so i know the user which has deleted the file.
Watch 4 folder gives me a time to cross reference with event viewer to save me searching through the last 100,000 events in the security log.
The auditing policy does not work and i have hit a brick wall on reasons why.
I created the policy by on the server going to the folder i wish to monitor and going to properties. In properties selecting the security tab selecting the advanced button and then selecting auditing tab.
Under this tab i created the policy so i went add - and set the object name as the possible offenders group policy group. I then applied it to 'this folder, subfolders and files' and then selected all possible access options in successfull and failed.
This as far as i am aware this should work but it would seem not from testing!
Any info, corrections or ideas would be greatly appreciated!
Regards,
Alastair
