Thanks James!
I set up auditing as you suggested and it does work. I created a test
folder then deleted it and event 564 showed up in the security log.
Should the log entry show what folder/file was deleted? This is the log
verbiage:
Object Deleted:
Object Server: Security
Handle ID: 704
Process ID: 5776
Image File Name: C:\WINDOWS\explorer.exe
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Thanks again,
Rick
________________________________
From: James Winzenz [mailto:[EMAIL PROTECTED]
Sent: Friday, January 11, 2008 10:27 AM
To: NT System Admin Issues
Subject: RE: Logging when a user moves a specific folder
Since moving a folder involves deleting it from its current location,
you should be able to configure auditing for the following items on the
parent folder in question:
Delete - successful
Delte subfolder and files - successful
You will need to specify the group to be audited against - you will need
to select a group or groups that includes everyone who has a minimum of
read/write access to the folder.
You also have to make sure in your local security policy that audit
object access success is enabled in order for the above items to be
logged. They will show up in your security log. Look for event ID 564,
which is object deleted, once you have done the above, and someone tells
you a folder is missing. You should be able to find out who did the
deed.
HTH,
James Winzenz
Infrastructure Engineer - Security
Pulte Homes Information Services
________________________________
From: Rick Corgiat [mailto:[EMAIL PROTECTED]
Posted At: Friday, January 11, 2008 8:44 AM
Posted To: NTSysadmin
Conversation: Logging when a user moves a specific folder
Subject: Logging when a user moves a specific folder
I have a client who is telling me that some folders on their server are
disappearing. The folder structure is this:
-2006
-LastName,FirstName
-2007
-LastName,FirstName
-2008
-LastName,FirstName
The folders that disappear are the LastName,FirstName folders. If I
search the server, I'll find the folders in the wrong parent folder or a
different LastName,FirstName folder. I am sure that one of the users is
moving the folders. I can't lock down the folders because they do need
to move data on occasion. My question, is there any way to turn on
logging to catch who is moving these folders? 3rd party software maybe?
The server is running Windows Server 2003 fully patched
Thanks
CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged material for the sole use of the intended recipient(s). Any
review, use, distribution or disclosure by others is strictly
prohibited. If you have received this communication in error, please
notify the sender immediately by email and delete the message and any
file attachments from your computer. Thank you.
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
