For the record this is what the 'fatal finger' looks like in the audit
logs.... in the first event you get a delete/synchronize, in the second
you get a synchronize [full details omitted]
-------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Object Name: F:\SYS\Litigation client data\Susan Bradley\Client
Accesses: DELETE
SYNCHRONIZE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x110080
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
---------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Object Name: F:\SYS\Litigation client data\Susan Bradley\Test
Accesses: SYNCHRONIZE
AppendData (or AddSubdirectory or CreatePipeInstance)
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x100004
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
