Tracking User who delted files????

Tutorials Win: Microsoft Windows Forum

I have a Win2000 Server running Active DIrectory. I have a situation
where I KNOW that some files were deleted. I cannot prove if they were
deleted by accident or maliciously, but I have my suspiciions. I CAN
narrow the possibilities because the files were in a Security
Restricted area. So.....

Is there any logs, etc, that can tell me explicitly which AD User
deleted a specific file?

Thanks in advance.
Top

Re: Tracking User who delted files???? by Meinolf

Meinolf
Wed Nov 14 12:43:47 PST 2007

Hello NewMan,

Only if you have enabled Auditing on the folder where the files are located.
Auditing you can enable on the folder with the security>advanced>auditing
tab.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> I have a Win2000 Server running Active DIrectory. I have a situation
> where I KNOW that some files were deleted. I cannot prove if they were
> deleted by accident or maliciously, but I have my suspiciions. I CAN
> narrow the possibilities because the files were in a Security
> Restricted area. So.....
>
> Is there any logs, etc, that can tell me explicitly which AD User
> deleted a specific file?
>
> Thanks in advance.
>


Top

Re: Tracking User who delted files???? by NewMan

NewMan
Wed Nov 14 14:29:37 PST 2007

Oh well...

Question: If you enable Auditing on a folder, does the Auditing also
get enabled for all sub-folders contained by that folder?

Thanks.


On Wed, 14 Nov 2007 20:43:47 +0000 (UTC), Meinolf Weber
<meiweb(nospam)@gmx.de> wrote:

>Hello NewMan,
>
>Only if you have enabled Auditing on the folder where the files are located.
>Auditing you can enable on the folder with the security>advanced>auditing
>tab.
>
>Best regards
>
>Meinolf Weber
>Disclaimer: This posting is provided "AS IS" with no warranties, and confers
>no rights.
>** Please do NOT email, only reply to Newsgroups
>** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm
>
>> I have a Win2000 Server running Active DIrectory. I have a situation
>> where I KNOW that some files were deleted. I cannot prove if they were
>> deleted by accident or maliciously, but I have my suspiciions. I CAN
>> narrow the possibilities because the files were in a Security
>> Restricted area. So.....
>>
>> Is there any logs, etc, that can tell me explicitly which AD User
>> deleted a specific file?
>>
>> Thanks in advance.
>>
>

Top

Re: Tracking User who delted files???? by Ace

Ace
Wed Nov 14 19:20:33 PST 2007

In news:0ktmj39ctcbg7llsdufrrbm55qa2judjme@4ax.com,
NewMan <CloakedRun2001@yahoo.ca> typed:
> Oh well...
>
> Question: If you enable Auditing on a folder, does the Auditing also
> get enabled for all sub-folders contained by that folder?
>
> Thanks.

If I may jump in, I believe so because of inheritance. You can go into the
folder's properties, and uncheck inheritance, but that will also stop
security ACL inheritance, where if you do not want to do that, you can go
into the Security Tab, advanced, Auditing tab, and disable iton a per folder
or file basis.

Ace


Top