{"id":1366,"date":"2014-07-30T02:45:29","date_gmt":"2014-07-30T07:45:29","guid":{"rendered":"http:\/\/swildow.darktech.org\/wp\/?p=1366"},"modified":"2014-07-30T02:45:29","modified_gmt":"2014-07-30T07:45:29","slug":"use-auditing-to-track-who-deleted-your-files","status":"publish","type":"post","link":"https:\/\/www.wildow.com\/blog\/?p=1366","title":{"rendered":"Use auditing to track who deleted your files"},"content":{"rendered":"
\n

Use auditing to track who deleted your files<\/h1>\n

by\u00a0<\/span>Steve Wiseman<\/a><\/span>\u00a0<\/span>on\u00a0<\/span>March 21, 2008<\/abbr>\u00a0<\/span>\u00b7\u00a0<\/span>27 comments<\/a><\/span><\/p>\n

in\u00a0<\/span>Windows<\/a><\/span><\/p>\n<\/div>\n

http:\/\/www.intelliadmin.com\/index.php\/2008\/03\/use-auditing-to-track-who-deleted-your-files\/<\/a>
\nI had a reader write me a few days ago:<\/p>\n

\u2026I\u2019m in a school environment and a student has deleted some files and I would like to know how I can do this in Win2k server to catch this sucker. Please advice and more power to you.<\/i><\/p>\n

 <\/p>\n

This can be accomplished through auditing. Lets start out by identifying what folder we want to watch \u2013 and be careful where you turn on auditing\u2026turn it on too many folders with too many options and you can have huge performance issues.<\/p>\n

We find the folder we want, and right click on it and go to properties<\/p>\n

\"Audit<\/p>\n

This will bring up the properties page for the folder. Move over to the security tab, and click on the advanced button:<\/p>\n

\"Audit<\/p>\n

The advanced page will appear. Click on the Auditing tab, and click the add button:<\/p>\n

\"Audit<\/p>\n

A user dialog will come up. I chose to put the \u201cEveryone\u201d group here. This allows me to audit for any possible user account that may be deleting files. If you think you know who it might be\u2026you could put those users here instead. The smaller window of users being audited means better performance.<\/p>\n

\"Audit<\/p>\n

Once you click OK, a selection box will be displayed. Again \u2013 chose only the options you need. Each additional option will reduce performance. Here I just pick the options to audit deleting files and folders<\/p>\n

\"Audit<\/p>\n

Click OK through all of the windows you have open. If a user deletes a file or folder Windows will write an event to the security log.<\/p>\n

Now. We have our auditing turned on, and you get to work one morning and find that files are missing. Simply open the event viewer and move over to the security log. Look for the event ID 560:<\/p>\n

\"Audit<\/p>\n

Double click on the event, and you will need to sit there and read it for a little bit to determine who did what. Here is an excerpt from mine (I copied the text from event viewer to notepad for easier reading)<\/p>\n

\"Audit<\/p>\n

We can see from this log entry that the user Administrator deleted the file setuperr.log<\/p>\n

Now when someone deletes a file, you will have no problem determining who did it.<\/p>\n

If you have a windows administration question, or an idea for a utility please send me an email at\u00a0<\/span>support@intelliadmin.com<\/a>. I can\u2019t promise that I will answer every email, but I try to read them all.<\/p>\n

Check out our Windows Admin Tools<\/a><\/div>\n

One more thing\u2026Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them.\u00a0<\/span>Click Here to get your free tools<\/a><\/p>\n<\/div>\n

<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Use auditing to track who deleted your files by\u00a0Steve Wiseman\u00a0on\u00a0March 21, 2008\u00a0\u00b7\u00a027 comments in\u00a0Windows http:\/\/www.intelliadmin.com\/index.php\/2008\/03\/use-auditing-to-track-who-deleted-your-files\/ I had a reader write me a few days ago: \u2026I\u2019m in a school environment and a student has deleted some files and I would … Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1366","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1366"}],"version-history":[{"count":1,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1366\/revisions"}],"predecessor-version":[{"id":1367,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1366\/revisions\/1367"}],"wp:attachment":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}