Security event logs are great things, learning how to search them for the right data can be invaluable and increase the security at your company drastically. It will mean that instead of saying "Who did this?", you will know who did it. Instead of going "When did that happen?", you'll know when it happened.
Unfortunately, you end up having to almost export your event logs to another location to make them searchable on active systems. The only bad part is that, once you get the data, you find yourself sitting there going "Oh, that script did it..." or worse - "I did it?!" or something similar. 95% of the time something where you're going "Oh yeah, I'm gonna get them this time", you realize that there isn't anyone to get. After a little while you'll stop expecting to 'get them' this time and go "OK, what do I need to fix this time" and kinda dread the idea of it being someone doing something wrong and hope it's just something that you can fix in 10 minutes because it someone did something wrong, then you have to spend 2-4 hours in meetings discussing why they did it, how they did it, how to avoid it happening again, etc....
On 10/5/06, J B <[EMAIL PROTECTED]> wrote:
I was hoping that there was some way to see who created it rather than wait until it happened again, or wait until someone accessed it...I'll have to settle for the auditing though.Thanks!----- Original Message -----From: Brian DesmondSent: Thursday, October 05, 2006 11:14 AMSubject: RE: [ActiveDir] Who keeps creating this folder & files?!
Set some auditing on the folder that this is happening in and watch the security log for the relevant audits…
c - 312.731.3132