Guest Kelly Armitage Posted May 22, 2008 Posted May 22, 2008 Can anyone tell if it is possible (and if yes how?) to log or audit file access. This is a large domain running 2003 AD with a mix of NT / 2000 servers. The simple and basic scenario is as an example HR is a group all with access to Folder X. Within Folder X there are some basic spreadsheets that all these users can access. One of these users has either accidentally or intentionally deleted one of these files. Retreiving the file from tape took all of 3 minutes, but the powers that be would like to know which user it was that deleted it. I have looked through the event viewer security logs and cannot seem to find any reference to that file being accessed or deleted. Is there an auditing feature on the DC that will enable me to check for such things? If ther eis which is it, and what would it look like so I can recognize it in the event viewer. I mean would the event specifically name the file that was deleted? USER A deleted FILE X? Any pointers tips or methods others use would be great. It seems locking stuff down so that a small number of users are the only ones with access to it, isn't enough these days. HELP! style_emoticons/ Quote
Guest Hotsauce1 Posted May 22, 2008 Posted May 22, 2008 Yes "Kelly Armitage" wrote: <span style="color:blue"> > Can anyone tell if it is possible (and if yes how?) to log or audit file > access. This is a large domain running 2003 AD with a mix of NT / 2000 > servers. > > The simple and basic scenario is as an example HR is a group all with access > to Folder X. Within Folder X there are some basic spreadsheets that all > these users can access. One of these users has either accidentally or > intentionally deleted one of these files. Retreiving the file from tape took > all of 3 minutes, but the powers that be would like to know which user it was > that deleted it. I have looked through the event viewer security logs and > cannot seem to find any reference to that file being accessed or deleted. Is > there an auditing feature on the DC that will enable me to check for such > things? If ther eis which is it, and what would it look like so I can > recognize it in the event viewer. I mean would the event specifically name > the file that was deleted? > > USER A deleted FILE X? Any pointers tips or methods others use would be > great. It seems locking stuff down so that a small number of users are the > only ones with access to it, isn't enough these days. > > HELP! style_emoticons/</span> Quote
Guest S. Pidgorny Posted May 25, 2008 Posted May 25, 2008 http://support.microsoft.com/kb/310399 (XP, equally applies to Windows 2003) http://support.microsoft.com/kb/301640 (Windows 2000) http://support.microsoft.com/kb/157238 (Windows NT) -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- http://sl.mvps.org http://msmvps.com/blogs/sp "Kelly Armitage" <KellyArmitage@discussions.microsoft.com> wrote in message news:B2FD540D-117C-4E66-8910-F6F03A5309F7@microsoft.com...<span style="color:blue"> > Can anyone tell if it is possible (and if yes how?) to log or audit file > access. This is a large domain running 2003 AD with a mix of NT / 2000 > servers. > > The simple and basic scenario is as an example HR is a group all with > access > to Folder X. Within Folder X there are some basic spreadsheets that all > these users can access. One of these users has either accidentally or > intentionally deleted one of these files. Retreiving the file from tape > took > all of 3 minutes, but the powers that be would like to know which user it > was > that deleted it. I have looked through the event viewer security logs and > cannot seem to find any reference to that file being accessed or deleted. > Is > there an auditing feature on the DC that will enable me to check for such > things? If ther eis which is it, and what would it look like so I can > recognize it in the event viewer. I mean would the event specifically > name > the file that was deleted? > > USER A deleted FILE X? Any pointers tips or methods others use would be > great. It seems locking stuff down so that a small number of users are > the > only ones with access to it, isn't enough these days. > > HELP! style_emoticons/ </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.