Previous Posts

 IntelliAdmin Remote Control - Status Update

Try out the IE 8 Beta

Forward email in Exchange

Keep track of your email in Exchange

Vista SP1 now available on Technet

Australia 2008 DST Updates

Cannot deserialize the Web Part - The fix

Windows 2008 and Vista SP1 Released to Manufacturi...

Upgrade paths available for Windows Server 2008

Microsoft has lost it



Archives

May 2005

January 2006

April 2006

May 2006

June 2006

July 2006

September 2006

October 2006

November 2006

December 2006

January 2007

February 2007

March 2007

April 2007

May 2007

June 2007

July 2007

August 2007

September 2007

October 2007

November 2007

December 2007

January 2008

February 2008

March 2008

April 2008

May 2008

June 2008

July 2008

August 2008

September 2008

October 2008

November 2008



Subscribe to our Feed:

Use auditing to track who deleted your files

If you like this article, then sign up for our email newsletter to get more like it every day in your inbox

I had a reader write me a few days ago:

...I'm in a school environment and a student has deleted some files and I would like to know how I can do this in Win2k server to catch this sucker. Please advice and more power to you.

This can be accomplished through auditing. Lets start out by identifying what folder we want to watch - and be careful where you turn on auditing...turn it on too many folders with too many options and you can have huge performance issues.

We find the folder we want, and right click on it and go to properties

Audit For Deleted Files Properties

This will bring up the properties page for the folder. Move over to the security tab, and click on the advanced button:

Audit For Deleted Files Properties Page

The advanced page will appear. Click on the Auditing tab, and click the add button:

Audit For Deleted Files Advanced

A user dialog will come up. I chose to put the "Everyone" group here. This allows me to audit for any possible user account that may be deleting files. If you think you know who it might be...you could put those users here instead. The smaller window of users being audited means better performance.

Audit for Deleted Files User Selection

Once you click OK, a selection box will be displayed. Again - chose only the options you need. Each additional option will reduce performance. Here I just pick the options to audit deleting files and folders

Audit For Deleted Files Event Selection

Click OK through all of the windows you have open. If a user deletes a file or folder Windows will write an event to the security log.

Now. We have our auditing turned on, and you get to work one morning and find that files are missing. Simply open the event viewer and move over to the security log. Look for the event ID 560:

Audit For Deleted Files Security Event 560

Double click on the event, and you will need to sit there and read it for a little bit to determine who did what. Here is an excerpt from mine (I copied the text from event viewer to notepad for easier reading)

Audit For Deleted Files Security Event 560 View

We can see from this log entry that the user Administrator deleted the file setuperr.log

Now when someone deletes a file, you will have no problem determining who did it.

If you have a windows administration question, or an idea for a utility please send me an email at support@intelliadmin.com. I can't promise that I will answer every email, but I try to read them all.


Posted By: Steve Wiseman on Friday, March 21, 2008

Check out our utilities for windows

 
Home|Downloads|Products|Blog
Copyright © IntelliAdmin, LLC, 2008. All Rights Reserved
Privacy Policy