Archived from groups: microsoft.public.win2000.security (More info?)
You would first have to enable auditing of object access in the Local
Security Policy [or other appropriate security policy] and then set auditing
on the folder. Try not to audit all permissions - just the ones you want to
track which sounds like write data, both deletes, and maybe append data.
Updated files often delete the original version of the file. Make sure that
you increase the size security log a lot to at least 15MB. You will see a
LOT of object access events in the security log and then information will be
there though can take a while to track down. What can help is if you use the
free Event Comb from Microsoft on the server and use it to search for
specific event ID's and text screens such as the name of the file or the
permission such as write or delete. This will help quite a bit in sorting
through all the object access events. Also test this out first so you can
see can see what happens in the security log and what events to look
or. --- Steve
"ram4tech" <email@example.com> wrote in message
> How to find which user updated/created any file(s)/folder(s) under Windows
> 2000 server?
> Are there any tools/utilities.