You might look for other event ID's right around event 564 that should provide more information, like event ID 560. That one should show you the folder/file being deleted. I don't have a win2k3 box to test this on right now, but on my xp box, I have consecutive event ID's of 560 (shows folder/file being deleted), 567 and 562. I think event 564 on win2k3 is probably equivalent to my 567 on XP.
Thanks, James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services ________________________________ From: Rick Corgiat [mailto:[EMAIL PROTECTED] Posted At: Friday, January 11, 2008 10:34 AM Posted To: NTSysadmin Conversation: Logging when a user moves a specific folder Subject: RE: Logging when a user moves a specific folder Thanks James! I set up auditing as you suggested and it does work. I created a test folder then deleted it and event 564 showed up in the security log. Should the log entry show what folder/file was deleted? This is the log verbiage: Object Deleted: Object Server: Security Handle ID: 704 Process ID: 5776 Image File Name: C:\WINDOWS\explorer.exe For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Thanks again, Rick ________________________________ From: James Winzenz [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 10:27 AM To: NT System Admin Issues Subject: RE: Logging when a user moves a specific folder Since moving a folder involves deleting it from its current location, you should be able to configure auditing for the following items on the parent folder in question: Delete - successful Delte subfolder and files - successful You will need to specify the group to be audited against - you will need to select a group or groups that includes everyone who has a minimum of read/write access to the folder. You also have to make sure in your local security policy that audit object access success is enabled in order for the above items to be logged. They will show up in your security log. Look for event ID 564, which is object deleted, once you have done the above, and someone tells you a folder is missing. You should be able to find out who did the deed. HTH, James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services ________________________________ From: Rick Corgiat [mailto:[EMAIL PROTECTED] Posted At: Friday, January 11, 2008 8:44 AM Posted To: NTSysadmin Conversation: Logging when a user moves a specific folder Subject: Logging when a user moves a specific folder I have a client who is telling me that some folders on their server are disappearing. The folder structure is this: -2006 -LastName,FirstName -2007 -LastName,FirstName -2008 -LastName,FirstName The folders that disappear are the LastName,FirstName folders. If I search the server, I'll find the folders in the wrong parent folder or a different LastName,FirstName folder. I am sure that one of the users is moving the folders. I can't lock down the folders because they do need to move data on occasion. My question, is there any way to turn on logging to catch who is moving these folders? 3rd party software maybe? The server is running Windows Server 2003 fully patched Thanks CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
