Re: logging deleted files
You can turn on file auditing for particular folders if you know which folders are at risk Right-click folder Properties, Security, Advanced, Auditing 2008/9/18 Paul Everett [EMAIL PROTECTED] Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, *Paul Everett* *IS Dept.* *Confidentiality Notice:** * This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: logging deleted files
http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletion s.html Ralph Smith Gateway Community Industries 845-331-1261 x234 From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:43 AM To: NT System Admin Issues Subject: Re: logging deleted files You can turn on file auditing for particular folders if you know which folders are at risk Right-click folder Properties, Security, Advanced, Auditing 2008/9/18 Paul Everett [EMAIL PROTECTED] Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. Confidentiality Notice: -- This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: logging deleted files
Thanks for the link Ralph. I have auditing from the folder in question's Properties enabled and also in Domain Group Policy on the DC, which is were the file is located. I can't get anything to show up in event log. In the Local Security Policy the audit local object success and failures are grayed out with no enable box. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 11:47 AM To: NT System Admin Issues Subject: RE: logging deleted files http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletion s.html Ralph Smith Gateway Community Industries 845-331-1261 x234 From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:43 AM To: NT System Admin Issues Subject: Re: logging deleted files You can turn on file auditing for particular folders if you know which folders are at risk Right-click folder Properties, Security, Advanced, Auditing 2008/9/18 Paul Everett [EMAIL PROTECTED] Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. Confidentiality Notice: ** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: logging deleted files
Thanks for the link Ralph. I have auditing from the folder in question's Properties enabled and also in Domain Group Policy on the DC, which is were the file is located. I can't get anything to show up in event log. In the Local Security Policy the audit local object success and failures are grayed out with no enable box. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 11:47 AM To: NT System Admin Issues Subject: RE: logging deleted files http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletion s.html Ralph Smith Gateway Community Industries 845-331-1261 x234 From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:43 AM To: NT System Admin Issues Subject: Re: logging deleted files You can turn on file auditing for particular folders if you know which folders are at risk Right-click folder Properties, Security, Advanced, Auditing 2008/9/18 Paul Everett [EMAIL PROTECTED] Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. Confidentiality Notice: ** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: logging deleted files
I have auditing from the folder in question's Properties enabled and also in Domain Group Policy on the DC, which is were the file is located. I can't get anything to show up in event log of the DC. In the Local Security Policy of the DC the audit local object success and failures are grayed out with no enable box. From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:43 AM To: NT System Admin Issues Subject: Re: logging deleted files ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: logging deleted files
I don't have a Domain Controller Security Policy in Admin Tools, just Local Security Policy and yes the Define these policy settings box is missing. I just meant the files in question are on the DC. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:15 PM To: NT System Admin Issues Subject: RE: logging deleted files I think you want to go to Administrative Tools Domain Controller Security Policy Local Security Policy if this applies to the domain controller. There should be a box for Define these policy settings. Is that what's missing? I'm not sure what you mean by the file being located in the Domain Group Policy on the DC. Do you mean the file is on the Domain Controller under the C:\WINDOWS\SYSVOL\domain\Policies folder? Ralph Smith Gateway Community Industries 845-331-1261 x234 From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 1:31 PM To: NT System Admin Issues Subject: RE: logging deleted files Thanks for the link Ralph. I have auditing from the folder in question's Properties enabled and also in Domain Group Policy on the DC, which is were the file is located. I can't get anything to show up in event log. In the Local Security Policy the audit local object success and failures are grayed out with no enable box. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 11:47 AM To: NT System Admin Issues Subject: RE: logging deleted files http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletion s.html Ralph Smith Gateway Community Industries 845-331-1261 x234 From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:43 AM To: NT System Admin Issues Subject: Re: logging deleted files You can turn on file auditing for particular folders if you know which folders are at risk Right-click folder Properties, Security, Advanced, Auditing 2008/9/18 Paul Everett [EMAIL PROTECTED] Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. Confidentiality Notice: ** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. Confidentiality Notice: ** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: logging deleted files
The program Undelete Server can help 1. it put file in the recoverybin, so they can be recovered. 2. it logs, who did delete the file. Jos _ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 16:34 To: NT System Admin Issues Subject: logging deleted files Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: logging deleted files
I have tried this program in different versions in different iterations at different times over the last few years, and it has always brought down my file servers. Is there a new version that would work with Server 08? From: Geling, Jos HS [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:46 PM To: NT System Admin Issues Subject: RE: logging deleted files The program Undelete Server can help 1. it put file in the recoverybin, so they can be recovered. 2. it logs, who did delete the file. Jos From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 16:34 To: NT System Admin Issues Subject: logging deleted files Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: logging deleted files
There is a 2009 version that supports Server 08. From: Holstrom, Don [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:51 PM To: NT System Admin Issues Subject: RE: logging deleted files I have tried this program in different versions in different iterations at different times over the last few years, and it has always brought down my file servers. Is there a new version that would work with Server 08? From: Geling, Jos HS [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:46 PM To: NT System Admin Issues Subject: RE: logging deleted files The program Undelete Server can help 1. it put file in the recoverybin, so they can be recovered. 2. it logs, who did delete the file. Jos From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 16:34 To: NT System Admin Issues Subject: logging deleted files Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: logging deleted files
Anyone using, used Undelete Server version 2009? From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 3:00 PM To: NT System Admin Issues Subject: RE: logging deleted files There is a 2009 version that supports Server 08. From: Holstrom, Don [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:51 PM To: NT System Admin Issues Subject: RE: logging deleted files I have tried this program in different versions in different iterations at different times over the last few years, and it has always brought down my file servers. Is there a new version that would work with Server 08? From: Geling, Jos HS [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:46 PM To: NT System Admin Issues Subject: RE: logging deleted files The program Undelete Server can help 1. it put file in the recoverybin, so they can be recovered. 2. it logs, who did delete the file. Jos From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 16:34 To: NT System Admin Issues Subject: logging deleted files Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: logging deleted files
If it's a DC then you should have both Domain Controller Security Policy and Domain Security Policy in Admin Tools, if not, it's not your DC. S From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 3:34 PM To: NT System Admin Issues Subject: RE: logging deleted files I don't have a Domain Controller Security Policy in Admin Tools, just Local Security Policy and yes the Define these policy settings box is missing. I just meant the files in question are on the DC. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:15 PM To: NT System Admin Issues Subject: RE: logging deleted files I think you want to go to Administrative Tools Domain Controller Security Policy Local Security Policy if this applies to the domain controller. There should be a box for Define these policy settings. Is that what's missing? I'm not sure what you mean by the file being located in the Domain Group Policy on the DC. Do you mean the file is on the Domain Controller under the C:\WINDOWS\SYSVOL\domain\Policies folder? Ralph Smith Gateway Community Industries 845-331-1261 x234 From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 1:31 PM To: NT System Admin Issues Subject: RE: logging deleted files Thanks for the link Ralph. I have auditing from the folder in question's Properties enabled and also in Domain Group Policy on the DC, which is were the file is located. I can't get anything to show up in event log. In the Local Security Policy the audit local object success and failures are grayed out with no enable box. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 11:47 AM To: NT System Admin Issues Subject: RE: logging deleted files http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletions.html Ralph Smith Gateway Community Industries 845-331-1261 x234 From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:43 AM To: NT System Admin Issues Subject: Re: logging deleted files You can turn on file auditing for particular folders if you know which folders are at risk Right-click folder Properties, Security, Advanced, Auditing 2008/9/18 Paul Everett [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. Confidentiality Notice: ** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. Confidentiality Notice: ** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: logging deleted files
Check the following Group Policy Objects to see if you have auditing enabled: 1. Default Domain Controllers Policy 2. Default Server Policy 3. Default Computer Policy Do you have auditing enabled for the Default Domain Policy? Which specific GPO do you have this setting applied to? BTW, our Default Domain Controllers Policy has the audit object access set to No Auditing. If yours is configured this way, it would override any domain gpo if No Override is not specified, and I really don't think you would want to do that with your domain controller(s). Since the Default Domain Controllers Policy is linked to the Domain Controllers OU, it would take precedence over the Default Domain Policy. The audit setting (as previously mentioned) is audit object access, and you would at least need to enable for success. Then on the folder (and subfolders and files) in question, you would need to configure auditing for delete, delete subfolder and files. You would also need to specify the individual (or group) that should be audited against. It appears this would be logged under event ID 560. Thanks, James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services From: Paul Everett [mailto:[EMAIL PROTECTED] Posted At: Thursday, September 18, 2008 11:34 AM Posted To: NTSysadmin Conversation: logging deleted files Subject: RE: logging deleted files I don't have a Domain Controller Security Policy in Admin Tools, just Local Security Policy and yes the Define these policy settings box is missing. I just meant the files in question are on the DC. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:15 PM To: NT System Admin Issues Subject: RE: logging deleted files I think you want to go to Administrative Tools Domain Controller Security Policy Local Security Policy if this applies to the domain controller. There should be a box for Define these policy settings. Is that what's missing? I'm not sure what you mean by the file being located in the Domain Group Policy on the DC. Do you mean the file is on the Domain Controller under the C:\WINDOWS\SYSVOL\domain\Policies folder? Ralph Smith Gateway Community Industries 845-331-1261 x234 From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 1:31 PM To: NT System Admin Issues Subject: RE: logging deleted files Thanks for the link Ralph. I have auditing from the folder in question's Properties enabled and also in Domain Group Policy on the DC, which is were the file is located. I can't get anything to show up in event log. In the Local Security Policy the audit local object success and failures are grayed out with no enable box. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 11:47 AM To: NT System Admin Issues Subject: RE: logging deleted files http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletion s.html Ralph Smith Gateway Community Industries 845-331-1261 x234 From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:43 AM To: NT System Admin Issues Subject: Re: logging deleted files You can turn on file auditing for particular folders if you know which folders are at risk Right-click folder Properties, Security, Advanced, Auditing 2008/9/18 Paul Everett [EMAIL PROTECTED] Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. Confidentiality Notice: ** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all
RE: logging deleted files
I don't know if that would be a nightmare or a revelation to find out that my DC wasn't my DC, but alas it is. It just doesn't show either of the Domain Security Policy's in Admin Tools. I did however find the Domain Controller Security Policy in the GP of the Domain Controllers in Active Directory. I made the change and expect it to show up with my next Server roboot. Thanks! From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin Sent: Thursday, September 18, 2008 4:22 PM To: NT System Admin Issues Subject: RE: logging deleted files If it's a DC then you should have both Domain Controller Security Policy and Domain Security Policy in Admin Tools, if not, it's not your DC. S From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 3:34 PM To: NT System Admin Issues Subject: RE: logging deleted files I don't have a Domain Controller Security Policy in Admin Tools, just Local Security Policy and yes the Define these policy settings box is missing. I just meant the files in question are on the DC. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:15 PM To: NT System Admin Issues Subject: RE: logging deleted files I think you want to go to Administrative Tools Domain Controller Security Policy Local Security Policy if this applies to the domain controller. There should be a box for Define these policy settings. Is that what's missing? I'm not sure what you mean by the file being located in the Domain Group Policy on the DC. Do you mean the file is on the Domain Controller under the C:\WINDOWS\SYSVOL\domain\Policies folder? Ralph Smith Gateway Community Industries 845-331-1261 x234 From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 1:31 PM To: NT System Admin Issues Subject: RE: logging deleted files Thanks for the link Ralph. I have auditing from the folder in question's Properties enabled and also in Domain Group Policy on the DC, which is were the file is located. I can't get anything to show up in event log. In the Local Security Policy the audit local object success and failures are grayed out with no enable box. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 11:47 AM To: NT System Admin Issues Subject: RE: logging deleted files http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletion s.html Ralph Smith Gateway Community Industries 845-331-1261 x234 From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:43 AM To: NT System Admin Issues Subject: Re: logging deleted files You can turn on file auditing for particular folders if you know which folders are at risk Right-click folder Properties, Security, Advanced, Auditing 2008/9/18 Paul Everett [EMAIL PROTECTED] Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. Confidentiality Notice: ** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. Confidentiality Notice: ** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message
RE: logging deleted files
You shouldn't have to wait for the server to reboot for the GPO to be updated - if you want, you can force the group policy settings to be refreshed sooner than the default group policy refresh interval. Thanks, James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services From: Paul Everett [mailto:[EMAIL PROTECTED] Posted At: Thursday, September 18, 2008 2:12 PM Posted To: NTSysadmin Conversation: logging deleted files Subject: RE: logging deleted files I don't know if that would be a nightmare or a revelation to find out that my DC wasn't my DC, but alas it is. It just doesn't show either of the Domain Security Policy's in Admin Tools. I did however find the Domain Controller Security Policy in the GP of the Domain Controllers in Active Directory. I made the change and expect it to show up with my next Server roboot. Thanks! From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin Sent: Thursday, September 18, 2008 4:22 PM To: NT System Admin Issues Subject: RE: logging deleted files If it's a DC then you should have both Domain Controller Security Policy and Domain Security Policy in Admin Tools, if not, it's not your DC. S From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 3:34 PM To: NT System Admin Issues Subject: RE: logging deleted files I don't have a Domain Controller Security Policy in Admin Tools, just Local Security Policy and yes the Define these policy settings box is missing. I just meant the files in question are on the DC. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:15 PM To: NT System Admin Issues Subject: RE: logging deleted files I think you want to go to Administrative Tools Domain Controller Security Policy Local Security Policy if this applies to the domain controller. There should be a box for Define these policy settings. Is that what's missing? I'm not sure what you mean by the file being located in the Domain Group Policy on the DC. Do you mean the file is on the Domain Controller under the C:\WINDOWS\SYSVOL\domain\Policies folder? Ralph Smith Gateway Community Industries 845-331-1261 x234 From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 1:31 PM To: NT System Admin Issues Subject: RE: logging deleted files Thanks for the link Ralph. I have auditing from the folder in question's Properties enabled and also in Domain Group Policy on the DC, which is were the file is located. I can't get anything to show up in event log. In the Local Security Policy the audit local object success and failures are grayed out with no enable box. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 11:47 AM To: NT System Admin Issues Subject: RE: logging deleted files http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletion s.html Ralph Smith Gateway Community Industries 845-331-1261 x234 From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:43 AM To: NT System Admin Issues Subject: Re: logging deleted files You can turn on file auditing for particular folders if you know which folders are at risk Right-click folder Properties, Security, Advanced, Auditing 2008/9/18 Paul Everett [EMAIL PROTECTED] Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. Confidentiality Notice: ** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original
RE: logging deleted files
Thanks, it refreshed the policy already without the reboot. Looks like have what I need now. I appreciate the guidance. Paul From: James Winzenz [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 5:31 PM To: NT System Admin Issues Subject: RE: logging deleted files You shouldn't have to wait for the server to reboot for the GPO to be updated - if you want, you can force the group policy settings to be refreshed sooner than the default group policy refresh interval. Thanks, James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services From: Paul Everett [mailto:[EMAIL PROTECTED] Posted At: Thursday, September 18, 2008 2:12 PM Posted To: NTSysadmin Conversation: logging deleted files Subject: RE: logging deleted files I don't know if that would be a nightmare or a revelation to find out that my DC wasn't my DC, but alas it is. It just doesn't show either of the Domain Security Policy's in Admin Tools. I did however find the Domain Controller Security Policy in the GP of the Domain Controllers in Active Directory. I made the change and expect it to show up with my next Server roboot. Thanks! From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin Sent: Thursday, September 18, 2008 4:22 PM To: NT System Admin Issues Subject: RE: logging deleted files If it's a DC then you should have both Domain Controller Security Policy and Domain Security Policy in Admin Tools, if not, it's not your DC. S From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 3:34 PM To: NT System Admin Issues Subject: RE: logging deleted files I don't have a Domain Controller Security Policy in Admin Tools, just Local Security Policy and yes the Define these policy settings box is missing. I just meant the files in question are on the DC. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:15 PM To: NT System Admin Issues Subject: RE: logging deleted files I think you want to go to Administrative Tools Domain Controller Security Policy Local Security Policy if this applies to the domain controller. There should be a box for Define these policy settings. Is that what's missing? I'm not sure what you mean by the file being located in the Domain Group Policy on the DC. Do you mean the file is on the Domain Controller under the C:\WINDOWS\SYSVOL\domain\Policies folder? Ralph Smith Gateway Community Industries 845-331-1261 x234 From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 1:31 PM To: NT System Admin Issues Subject: RE: logging deleted files Thanks for the link Ralph. I have auditing from the folder in question's Properties enabled and also in Domain Group Policy on the DC, which is were the file is located. I can't get anything to show up in event log. In the Local Security Policy the audit local object success and failures are grayed out with no enable box. From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 11:47 AM To: NT System Admin Issues Subject: RE: logging deleted files http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletion s.html Ralph Smith Gateway Community Industries 845-331-1261 x234 From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:43 AM To: NT System Admin Issues Subject: Re: logging deleted files You can turn on file auditing for particular folders if you know which folders are at risk Right-click folder Properties, Security, Advanced, Auditing 2008/9/18 Paul Everett [EMAIL PROTECTED] Is there anything that logs the event when files are deleted over the network? A user in one of our departments is deleting files, either unintentionally or not. The best I can do is check my daily backups to find out which day it happened, but we'd like to find out who it is. We don't need something to recover deleted network files, just something that logs the event that includes the username. Is there anything out there that can do this? We have a 2003 AD Domain. Thanks, Paul Everett IS Dept. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. Confidentiality Notice: ** This communication, including any attachments, may contain confidential information
