Auditing / File Security

[Kelly Armitage]

Can anyone tell if it is possible (and if yes how?) to log or audit file
access. This is a large domain running 2003 AD with a mix of NT / 2000
servers.

The simple and basic scenario is as an example HR is a group all with access
to Folder X. Within Folder X there are some basic spreadsheets that all
these users can access. One of these users has either accidentally or
intentionally deleted one of these files. Retreiving the file from tape took
all of 3 minutes, but the powers that be would like to know which user it was
that deleted it. I have looked through the event viewer security logs and
cannot seem to find any reference to that file being accessed or deleted. Is
there an auditing feature on the DC that will enable me to check for such
things? If ther eis which is it, and what would it look like so I can
recognize it in the event viewer. I mean would the event specifically name
the file that was deleted?

USER A deleted FILE X? Any pointers tips or methods others use would be
great. It seems locking stuff down so that a small number of users are the
only ones with access to it, isn't enough these days.

HELP!

 

[Hotsauce1]

Yes

"Kelly Armitage" wrote:

> Can anyone tell if it is possible (and if yes how?) to log or audit file
> access. This is a large domain running 2003 AD with a mix of NT / 2000
> servers.
>
> The simple and basic scenario is as an example HR is a group all with access
> to Folder X. Within Folder X there are some basic spreadsheets that all
> these users can access. One of these users has either accidentally or
> intentionally deleted one of these files. Retreiving the file from tape took
> all of 3 minutes, but the powers that be would like to know which user it was
> that deleted it. I have looked through the event viewer security logs and
> cannot seem to find any reference to that file being accessed or deleted. Is
> there an auditing feature on the DC that will enable me to check for such
> things? If ther eis which is it, and what would it look like so I can
> recognize it in the event viewer. I mean would the event specifically name
> the file that was deleted?
>
> USER A deleted FILE X? Any pointers tips or methods others use would be
> great. It seems locking stuff down so that a small number of users are the
> only ones with access to it, isn't enough these days.
>
> HELP!

 

[S. Pidgorny]

http://support.microsoft.com/kb/310399 (XP, equally applies to Windows 2003)
http://support.microsoft.com/kb/301640 (Windows 2000)
http://support.microsoft.com/kb/157238 (Windows NT)


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


"Kelly Armitage" <KellyArmitage@discussions.microsoft.com> wrote in message
news:B2FD540D-117C-4E66-8910-F6F03A5309F7@microsoft.com...
> Can anyone tell if it is possible (and if yes how?) to log or audit file
> access. This is a large domain running 2003 AD with a mix of NT / 2000
> servers.
>
> The simple and basic scenario is as an example HR is a group all with
> access
> to Folder X. Within Folder X there are some basic spreadsheets that all
> these users can access. One of these users has either accidentally or
> intentionally deleted one of these files. Retreiving the file from tape
> took
> all of 3 minutes, but the powers that be would like to know which user it
> was
> that deleted it. I have looked through the event viewer security logs and
> cannot seem to find any reference to that file being accessed or deleted.
> Is
> there an auditing feature on the DC that will enable me to check for such
> things? If ther eis which is it, and what would it look like so I can
> recognize it in the event viewer. I mean would the event specifically
> name
> the file that was deleted?
>
> USER A deleted FILE X? Any pointers tips or methods others use would be
> great. It seems locking stuff down so that a small number of users are
> the
> only ones with access to it, isn't enough these days.
>
> HELP!