Check the following Group Policy Objects to see if you have auditing enabled:
1. Default Domain Controllers Policy 2. Default Server Policy 3. Default Computer Policy Do you have auditing enabled for the Default Domain Policy? Which specific GPO do you have this setting applied to? BTW, our Default Domain Controllers Policy has the audit object access set to No Auditing. If yours is configured this way, it would override any domain gpo if "No Override" is not specified, and I really don't think you would want to do that with your domain controller(s). Since the Default Domain Controllers Policy is linked to the Domain Controllers OU, it would take precedence over the Default Domain Policy. The audit setting (as previously mentioned) is audit object access, and you would at least need to enable for success. Then on the folder (and subfolders and files) in question, you would need to configure auditing for delete, delete subfolder and files. You would also need to specify the individual (or group) that should be audited against. It appears this would be logged under event ID 560. Thanks, James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services ________________________________ From: Paul Everett [mailto:[EMAIL PROTECTED] Posted At: Thursday, September 18, 2008 11:34 AM Posted To: NTSysadmin Conversation: logging deleted files Subject: RE: logging deleted files I don't have a Domain Controller Security Policy in Admin Tools, just Local Security Policy and "yes" the "Define these policy settings" box is missing. I just meant the files in question are on the DC. ________________________________ From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:15 PM To: NT System Admin Issues Subject: RE: logging deleted files I think you want to go to Administrative Tools > Domain Controller Security Policy > Local Security Policy if this applies to the domain controller. There should be a box for "Define these policy settings". Is that what's missing? I'm not sure what you mean by the file being located in the Domain Group Policy on the DC. Do you mean the file is on the Domain Controller under the C:\WINDOWS\SYSVOL\domain\Policies folder? Ralph Smith Gateway Community Industries 845-331-1261 x234 ________________________________ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 1:31 PM To: NT System Admin Issues Subject: RE: logging deleted files Thanks for the link Ralph. I have auditing from the folder in question's Properties enabled and also in Domain Group Policy on the DC, which is were the file is located. I can't get anything to show up in event log. In the Local Security Policy the "audit local object" success and failures are grayed out with no "enable" box. ________________________________ From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 11:47 AM To: NT System Admin Issues Subject: RE: logging deleted files http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletion s.html Ralph Smith Gateway Community Industries 845-331-1261 x234 ________________________________ From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:43 AM To: NT System Admin Issues Subject: Re: logging deleted files You can turn on file auditing for particular folders if you know which folders are at risk Right-click folder Properties, Security, Advanced, Auditing 2008/9/18 Paul Everett <[EMAIL PROTECTED]> Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. Confidentiality Notice: ****************** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. Confidentiality Notice: ****************** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~