Audit Deleting of files

Archived from groups: microsoft.public.win2000.security (More info?)

Hello All,
Is there a way which user (logged in on separate ID's) are
deleting files on a particular machine? We have a folder
on public machine that keeps disappearing. We want to
know which logged in user is deleting it. Is there a way
to audit this and find out?

Thanks
Lynn
4 answers Last reply
More about audit deleting files
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Opps forgot to say it's on a Windows 2000 professional
    machine

    >-----Original Message-----
    >Hello All,
    >Is there a way which user (logged in on separate ID's)
    are
    >deleting files on a particular machine? We have a folder
    >on public machine that keeps disappearing. We want to
    >know which logged in user is deleting it. Is there a way
    >to audit this and find out?
    >
    >Thanks
    >Lynn
    >
    >.
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Configuring auditing is a two-step process. First you need to configure an
    audit policy for your domain:

    To configure an audit policy setting for a domain controller, follow these
    steps:
    1.. Click Start, point to Programs, point to Administrative Tools, and
    then click Active Directory Users and Computers.
    2.. Click Advanced Features on the View menu.
    3.. Right-click Domain Controllers, and then click Properties.
    4.. Click the Group Policy tab, click Default Domain Controller Policy,
    and then click Edit.
    5.. Click Computer Configuration, double-click Windows Settings,
    double-click Security Settings, double-click Local Policies, and then
    double-click Audit Policy.
    6.. In the right pane, right-click Audit Directory Services Access, and
    then click Security.
    7.. Click Define These Policy Settings, and then click to select one or
    both of the following check boxes:
    a.. Success: Click to select this check box to audit successful attempts
    for the event category.
    b.. Failure: Click to select this check box to audit failed attempts for
    the event category.
    8.. Right-click any other event category that you want to audit, and then
    click Security.
    9.. Click OK.
    10.. Because the changes that you make to your computer's audit policy
    setting take effect only when the policy setting is propagated (or applied)
    to your computer, complete one of the following steps to initiate policy
    propagation:
    a.. Type secedit /refreshpolicy machine_policy at the command prompt,
    press ENTER, and then restart the computer.

    -or-
    b.. Wait for automatic policy propagation, which occurs at regular
    intervals that you can configure. By default, policy propagation occurs
    every eight hours.
    11.. Open the Security log to view logged events. NOTE: If you are either
    a domain or an enterprise administrator, you can enable security auditing
    for workstations, member servers, and domain controllers remotely.
    After that, you need to enable the specific folder(s) that you want to have
    audited:

    How To: Set, Remove or Change Auditing for a File or Folder:

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;301640


    --
    ******************************
    Laura E. Hunter - MCSE, MCT, MVP
    Replies to newsgroup only


    "Lynn" <anonymous@discussions.microsoft.com> wrote in message
    news:92ce01c496a9$cf376510$a301280a@phx.gbl...
    > Hello All,
    > Is there a way which user (logged in on separate ID's) are
    > deleting files on a particular machine? We have a folder
    > on public machine that keeps disappearing. We want to
    > know which logged in user is deleting it. Is there a way
    > to audit this and find out?
    >
    > Thanks
    > Lynn
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks Laura,
    I just want to confirm...For a machine that is networked
    you can't just do an audit on the machine. There has to
    be a domain policy right?

    >-----Original Message-----
    >Configuring auditing is a two-step process. First you
    need to configure an
    >audit policy for your domain:
    >
    >To configure an audit policy setting for a domain
    controller, follow these
    >steps:
    > 1.. Click Start, point to Programs, point to
    Administrative Tools, and
    >then click Active Directory Users and Computers.
    > 2.. Click Advanced Features on the View menu.
    > 3.. Right-click Domain Controllers, and then click
    Properties.
    > 4.. Click the Group Policy tab, click Default Domain
    Controller Policy,
    >and then click Edit.
    > 5.. Click Computer Configuration, double-click Windows
    Settings,
    >double-click Security Settings, double-click Local
    Policies, and then
    >double-click Audit Policy.
    > 6.. In the right pane, right-click Audit Directory
    Services Access, and
    >then click Security.
    > 7.. Click Define These Policy Settings, and then click
    to select one or
    >both of the following check boxes:
    > a.. Success: Click to select this check box to audit
    successful attempts
    >for the event category.
    > b.. Failure: Click to select this check box to audit
    failed attempts for
    >the event category.
    > 8.. Right-click any other event category that you want
    to audit, and then
    >click Security.
    > 9.. Click OK.
    > 10.. Because the changes that you make to your
    computer's audit policy
    >setting take effect only when the policy setting is
    propagated (or applied)
    >to your computer, complete one of the following steps to
    initiate policy
    >propagation:
    > a.. Type secedit /refreshpolicy machine_policy at the
    command prompt,
    >press ENTER, and then restart the computer.
    >
    > -or-
    > b.. Wait for automatic policy propagation, which
    occurs at regular
    >intervals that you can configure. By default, policy
    propagation occurs
    >every eight hours.
    > 11.. Open the Security log to view logged events. NOTE:
    If you are either
    >a domain or an enterprise administrator, you can enable
    security auditing
    >for workstations, member servers, and domain controllers
    remotely.
    >After that, you need to enable the specific folder(s)
    that you want to have
    >audited:
    >
    >How To: Set, Remove or Change Auditing for a File or
    Folder:
    >
    >http://support.microsoft.com/default.aspx?scid=kb;EN-
    US;301640
    >
    >
    >
    >--
    >******************************
    >Laura E. Hunter - MCSE, MCT, MVP
    >Replies to newsgroup only
    >
    >
    >"Lynn" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:92ce01c496a9$cf376510$a301280a@phx.gbl...
    >> Hello All,
    >> Is there a way which user (logged in on separate ID's)
    are
    >> deleting files on a particular machine? We have a
    folder
    >> on public machine that keeps disappearing. We want to
    >> know which logged in user is deleting it. Is there a
    way
    >> to audit this and find out?
    >>
    >> Thanks
    >> Lynn
    >>
    >
    >
    >.
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes you can do it on a single computer but you need to enable auditing of "object
    access" . Open Local Security Policy via secpol.msc and configure auditing as Laura
    recommended and enable auditing of object access and then audit the parent folder of
    the folder that keeps getting deleted. Then you will find Event ID's for 560 and 562
    in the security log in Event Viewer when files are being accessed. I suggest that you
    audit only the two delete permissions and avoid auditing for access by users or
    everyone and use your own group of users if possible to keep the number of events
    down. Additionally you should review your ntfs special permissions for apply onto
    "this folder only". Maybe too many users have the permissions to delete the folder
    and do not need that permission. You will have to view Event ID's 560 and 562 as
    pairs by timestamp for meaningful info. --- Steve


    "Lynn" <anonymous@discussions.microsoft.com> wrote in message
    news:912e01c496ac$e4283c80$a601280a@phx.gbl...
    > Thanks Laura,
    > I just want to confirm...For a machine that is networked
    > you can't just do an audit on the machine. There has to
    > be a domain policy right?
    >
    >>-----Original Message-----
    >>Configuring auditing is a two-step process. First you
    > need to configure an
    >>audit policy for your domain:
    >>
    >>To configure an audit policy setting for a domain
    > controller, follow these
    >>steps:
    >> 1.. Click Start, point to Programs, point to
    > Administrative Tools, and
    >>then click Active Directory Users and Computers.
    >> 2.. Click Advanced Features on the View menu.
    >> 3.. Right-click Domain Controllers, and then click
    > Properties.
    >> 4.. Click the Group Policy tab, click Default Domain
    > Controller Policy,
    >>and then click Edit.
    >> 5.. Click Computer Configuration, double-click Windows
    > Settings,
    >>double-click Security Settings, double-click Local
    > Policies, and then
    >>double-click Audit Policy.
    >> 6.. In the right pane, right-click Audit Directory
    > Services Access, and
    >>then click Security.
    >> 7.. Click Define These Policy Settings, and then click
    > to select one or
    >>both of the following check boxes:
    >> a.. Success: Click to select this check box to audit
    > successful attempts
    >>for the event category.
    >> b.. Failure: Click to select this check box to audit
    > failed attempts for
    >>the event category.
    >> 8.. Right-click any other event category that you want
    > to audit, and then
    >>click Security.
    >> 9.. Click OK.
    >> 10.. Because the changes that you make to your
    > computer's audit policy
    >>setting take effect only when the policy setting is
    > propagated (or applied)
    >>to your computer, complete one of the following steps to
    > initiate policy
    >>propagation:
    >> a.. Type secedit /refreshpolicy machine_policy at the
    > command prompt,
    >>press ENTER, and then restart the computer.
    >>
    >> -or-
    >> b.. Wait for automatic policy propagation, which
    > occurs at regular
    >>intervals that you can configure. By default, policy
    > propagation occurs
    >>every eight hours.
    >> 11.. Open the Security log to view logged events. NOTE:
    > If you are either
    >>a domain or an enterprise administrator, you can enable
    > security auditing
    >>for workstations, member servers, and domain controllers
    > remotely.
    >>After that, you need to enable the specific folder(s)
    > that you want to have
    >>audited:
    >>
    >>How To: Set, Remove or Change Auditing for a File or
    > Folder:
    >>
    >>http://support.microsoft.com/default.aspx?scid=kb;EN-
    > US;301640
    >>
    >>
    >>
    >>--
    >>******************************
    >>Laura E. Hunter - MCSE, MCT, MVP
    >>Replies to newsgroup only
    >>
    >>
    >>"Lynn" <anonymous@discussions.microsoft.com> wrote in
    > message
    >>news:92ce01c496a9$cf376510$a301280a@phx.gbl...
    >>> Hello All,
    >>> Is there a way which user (logged in on separate ID's)
    > are
    >>> deleting files on a particular machine? We have a
    > folder
    >>> on public machine that keeps disappearing. We want to
    >>> know which logged in user is deleting it. Is there a
    > way
    >>> to audit this and find out?
    >>>
    >>> Thanks
    >>> Lynn
    >>>
    >>
    >>
    >>.
    >>
Ask a new question

Read More

Security Microsoft Windows