HELP - What log will tell who is deleting files?

C

Clubsprint

Every second week we get about 30G of data that mysteriously"disappears.
Luckily our backups are pretty good and we can restore but it's only a
matter of time till we lose some data.
I figure the accessing and deletion can be logged but I'm not sure how to go
about it.
Can someone help please?

Mark
 
M

Meinolf Weber [MVP-DS]

Hello Clubsprint,

From another posting, how to enable auditing for files folders:
-------------------------------------------------------------------------------------------
Enabling file auditing is a 2-step process.

[1] Configure "audit object access" in AD Group Policy or on the server's
local GPO. This setting is located under Computer Configuration-->Windows
Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure
auditing for "Audit object access."

[2] Configure an audit entry on the specific folder(s) that you wish to audit.
Right-click on the folder-->Properties-->Advanced. From the Auditing tab,
click Add, then enter the users/groups whom you wish to audit and what actions
you wish to audit - auditing Full Control will create an audit entry every
time anyone opens/changes/closes/deletes a file, or you can just audit for
Delete operations.

After you've done both of these steps, any file deletions will show up in
the Security log of the file server that hosts those files.

HTH
-------------------------------------------------------------------------------------------

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Every second week we get about 30G of data that
> mysteriously"disappears.
> Luckily our backups are pretty good and we can restore but it's only a
> matter of time till we lose some data.
> I figure the accessing and deletion can be logged but I'm not sure how
> to go
> about it.
> Can someone help please?
> Mark
>
 
H

Hank Arnold

Clubsprint wrote:
> Every second week we get about 30G of data that mysteriously"disappears.
> Luckily our backups are pretty good and we can restore but it's only a
> matter of time till we lose some data.
> I figure the accessing and deletion can be logged but I'm not sure how to go
> about it.
> Can someone help please?
>
> Mark
>
>
>

Have you checked for a scheduled task running?

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services
http://mypcassistant.blogspot.com/
 
L

Lanwench [MVP - Exchange]

Clubsprint wrote:
> Every second week we get about 30G of data that
> mysteriously"disappears. Luckily our backups are pretty good and we
> can restore but it's only a matter of time till we lose some data.
> I figure the accessing and deletion can be logged but I'm not sure
> how to go about it.
> Can someone help please?
>
> Mark

In addition to the other replies ...

Is this really that predictable? Same folders? Literally every two weeks?

Are you 100% sure some user hasn't accidentally dragged the stuff into
another subfolder?
 
C

Clubsprint

Thanks all for your responses.
I've now enabled auditing on the directory.
It's not a scheduled as it is random times and directories within the
business unit drive.
I'm actually pretty sure it's the support guy on site. He hates his job and
most of the staff but he just wont leave.
He's done a bunch of other things (unplugging routers/switches, turning off
servers after hours, deleting DNS entries, etc)
I'm just hoping it's him so I can kick him out the door.
I'll post back the result.

"Lanwench [MVP - Exchange]"
wrote in message
news:uOMaOBGQKHA.1280@TK2MSFTNGP04.phx.gbl...
>
> Clubsprint wrote:
>> Every second week we get about 30G of data that
>> mysteriously"disappears. Luckily our backups are pretty good and we
>> can restore but it's only a matter of time till we lose some data.
>> I figure the accessing and deletion can be logged but I'm not sure
>> how to go about it.
>> Can someone help please?
>>
>> Mark
>
> In addition to the other replies ...
>
> Is this really that predictable? Same folders? Literally every two weeks?
>
> Are you 100% sure some user hasn't accidentally dragged the stuff into
> another subfolder?
>
 
A

Ace Fekay [MCT]

"Clubsprint" wrote in message
news:hajlei$3ir$1@news-01.bur.connect.com.au...
> Thanks all for your responses.
> I've now enabled auditing on the directory.
> It's not a scheduled as it is random times and directories within the
> business unit drive.
> I'm actually pretty sure it's the support guy on site. He hates his job
> and most of the staff but he just wont leave.
> He's done a bunch of other things (unplugging routers/switches, turning
> off servers after hours, deleting DNS entries, etc)
> I'm just hoping it's him so I can kick him out the door.
> I'll post back the result.
>

Hmm, a drama! You've got me following this thread now, to see the outcome.-)

Is it him, or is it someone else that thinks making these changes would
point the finger to him to get rid of him....

Ace
 
C

Clubsprint

Oh I KNOW it's him. Haven't got legal action level proof but I'll egt there.
I'll post some more info when I have some time. I'm thinking about
installing a keylogger on his PC.
Eitherhe gets booted or leaves of his own volition I don't car. Going out to
his site now so I'll be
re-inforcing his negative comments about his job. I don't need some-one
making more trouble.
Enough happens naturally.


"Ace Fekay [MCT]" wrote in message
news:%23lVo818RKHA.1796@TK2MSFTNGP02.phx.gbl...
> "Clubsprint" wrote in message
> news:hajlei$3ir$1@news-01.bur.connect.com.au...
>
> Hmm, a drama! You've got me following this thread now, to see the
> outcome.-)
>
> Is it him, or is it someone else that thinks making these changes would
> point the finger to him to get rid of him....
>
> Ace
>
>
>
 
A

Ace Fekay [MCT]

"Clubsprint" wrote in message
news:ham6ed$jpn$1@news-01.bur.connect.com.au...
> Oh I KNOW it's him. Haven't got legal action level proof but I'll egt
> there.
> I'll post some more info when I have some time. I'm thinking about
> installing a keylogger on his PC.
> Eitherhe gets booted or leaves of his own volition I don't car. Going out
> to his site now so I'll be
> re-inforcing his negative comments about his job. I don't need some-one
> making more trouble.
> Enough happens naturally.
>

Keep us updated! You can possibly even start a Twitter who-dun-it on this,
such as the way Brent Spiner does with his tweets.

Ace
 
You must log in or register to reply here.

Similar threads

Y
  • Article
The most personal Windows 11 experience begins rolling out today
Replies
0
Views
152
Yusuf Mehdi, Corporate Vice President &#38
Y
W
Need help for a friend who can no longer access his documents
Replies
0
Views
284
WishyWishyKennyFishy
W
A
  • Article
Windows 11 helps build a more positive, inclusive shopping experience for plus-size women
Replies
0
Views
265
Athima Chansanchai, Writer
A
B
  • Article
Announcing Windows 11 Insider Preview Build 22557
Replies
0
Views
495
Brandon LeBlanc
B
J
BSoD: PnP DETECTED FATAL ERROR
Replies
0
Views
358
JohnBreen3
J
Back
Top Bottom