Announcement

Collapse
No announcement yet.

File Deletion Logging.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • File Deletion Logging.

    hello,

    this may very well be a very simple solution...

    is there something that i can turn on to track users who delete files from the windows 2003 shares?

  • #2
    Re: File Deletion Logging.

    Hi,

    Have a look at this: http://articles.techrepublic.com.com...1-6028421.html

    Especially the File-level Audit section.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: File Deletion Logging.

      File level auditing is the option you need to select. Also, the logs will increased to a huge size very rapidly.
      Mohan Mathew[VU3MMU]
      MCITP [AD]

      Comment


      • #4
        Re: File Deletion Logging.

        Originally posted by mohanmathew View Post
        File level auditing is the option you need to select. Also, the logs will increased to a huge size very rapidly.
        Yep, isn't that what i suggested?
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: File Deletion Logging.

          thanks guys,
          i knew it was something to do with Auditing... i'll read into this further and give it a shot!

          merci

          Comment


          • #6
            Re: File Deletion Logging.

            Originally posted by L4ndy View Post
            Yep, isn't that what i suggested?
            oh no, I was just trying to point out the log size will increase.
            Mohan Mathew[VU3MMU]
            MCITP [AD]

            Comment


            • #7
              Re: File Deletion Logging.

              well, i've tried this but can't get anything to show in the log file.??

              hmmm...

              what i did was turn on the auditing in the GPO, then went to the repective share and advanced and turned on Delete auditing for all Domain Users.

              Comment


              • #8
                Re: File Deletion Logging.

                Originally posted by swixtt View Post
                well, i've tried this but can't get anything to show in the log file.??
                Do you mean in the security log in the event viewer on the system where the file/folder was audited?

                hmmm...

                what i did was turn on the auditing in the GPO, then went to the repective share and advanced and turned on Delete auditing for all Domain Users.
                Did you then, delete a file or folder logged on as a member of domain users group?
                Also if that doesn't work, can you just audit a user account instead and check the logs.
                Caesar's cipher - 3

                ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                SFX JNRS FC U6 MNGR

                Comment


                • #9
                  Re: File Deletion Logging.

                  yes, in the event security log on the DC... that is where i had the auditing turned on for a share.
                  i tested it by creating and deleting a file as a domain user.

                  i needed to delete a user account from the AD and this showed in the security log.

                  Comment


                  • #10
                    Re: File Deletion Logging.

                    WHat auditing did you turn on - for file operations it is "audit object access"
                    Tom Jones
                    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                    PhD, MSc, FIAP, MIITT
                    IT Trainer / Consultant
                    Ossian Ltd
                    Scotland

                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: File Deletion Logging.

                      that's the one

                      Comment


                      • #12
                        Re: File Deletion Logging.

                        still nothing showing in the security logs.

                        any other suggestions to test this.

                        i have the 'audit object access' = Success and then have gone into a share on the server and selected an individual users as well as the domain users.

                        Comment


                        • #13
                          Re: File Deletion Logging.

                          Sounds like you did everything right. You mentioned before that you changed auditing in the GPO. Use RSoP (Resultant Set of Policy) to make sure you're applying the policy and if it is that another GPO isn't overriding it.
                          Last edited by ahinson; 29th December 2008, 19:55.
                          Andrew

                          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                          Comment


                          • #14
                            Re: File Deletion Logging.

                            OK... i ran the rsop.msc on my laptop and drilled down to the auditing section... it shows the Audit object access = success and under source GPO it shows the name of the GPO properly.

                            thanks

                            Originally posted by ahinson View Post
                            Sounds like you did everything right. You mentioned before that you changed auditing in the GPO. Use RSP (Resultant Set of Policy) to make sure you're applying the policy and if it is that another GPO isn't overriding it.

                            Comment


                            • #15
                              Re: File Deletion Logging.

                              Hmm not sure what might be wrong. I did a quit setup on a test box and what you did should have worked. I did this in the local policy but since the gpo is applying correctly it shouldn't make a difference.

                              I did notice one thing... When I deleted the file locally it logged it. When I did it thru the share while logged in locally from the server it didn't.

                              Andrew

                              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                              Comment

                              Working...
                              X