Re: Is it possible to find out who deleted a file under W2K/NT??

From: Eric Fitzgerald [MSFT] (ericf@online.microsoft.com)
Date: 05/28/02

• Next message: Glen Baumgarten: "Re: Is it possible to find out who deleted a file under W2K/NT??"
• Previous message: rr: "connecting two offices via vpn"
• In reply to: Truesdale, Larry [GRWAY:X261:EXCH]: "Is it possible to find out who deleted a file under W2K/NT??"
• Next in thread: Glen Baumgarten: "Re: Is it possible to find out who deleted a file under W2K/NT??"
• Reply: Glen Baumgarten: "Re: Is it possible to find out who deleted a file under W2K/NT??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com>
Date: Tue, 28 May 2002 12:14:03 -0700

If you had enabled "Object Access / Success" auditing in your machine's
audit policy, directly or via domain policy, and had set a SACL on the
object to audit delete accesses to that object, and both of these were done
prior to the object's deletion, then you should see a delete event for that
object in your security log.

Otherwise, the information on who deleted the object is lost.

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation
"Truesdale, Larry [GRWAY:X261:EXCH]" <larrytru@americasm01.nt.com> wrote in
message news:ad083i$khp$1@bcarh8ab.ca.nortel.com...
> Hello,
>
> A couple of files have been deleted from my Win 2K machine.  Is it
possible
> to figure out which account was used to deleted them?  I'm not
particularly
> interested in recovering them, just knowing who deleted them.
>
> Thanks!!
>
> Larry
>
>

---

• Next message: Glen Baumgarten: "Re: Is it possible to find out who deleted a file under W2K/NT??"
• Previous message: rr: "connecting two offices via vpn"
• In reply to: Truesdale, Larry [GRWAY:X261:EXCH]: "Is it possible to find out who deleted a file under W2K/NT??"
• Next in thread: Glen Baumgarten: "Re: Is it possible to find out who deleted a file under W2K/NT??"
• Reply: Glen Baumgarten: "Re: Is it possible to find out who deleted a file under W2K/NT??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Is it possible to find out who deleted a file under W2K/NT?? ... audit policy, directly or via domain policy, and had set a SACL on the ... Eric Fitzgerald ... Windows Auditing and Intrusion Detection ... (comp.os.ms-windows.nt.admin.security) Re: Print Auditing ... configure auditing for objects, a printer is an object, like folders, files, ... > "The current Audit Policy for this computer does not have auditing turned ... > administrator to turn on auditing using Group Policy Editor. ... > the Local Computer Policy Editor to configure the Audit policy locally on ... (microsoft.public.windows.server.security) Print Auditing ... "The current Audit Policy for this computer does not have auditing turned ... administrator to turn on auditing using Group Policy Editor. ... the Local Computer Policy Editor to configure the Audit policy locally on ... (microsoft.public.windows.server.security) Re: Security Event Log - Can anyone explain ?? ... Eric Fitzgerald ... Windows Auditing and Intrusion Detection ... and It mentioned that security auditing was turn off. ... (microsoft.public.win2000.security) Re: IPSec auditing ... It's not the auditing; it's the whole implementation. ... Dan ... Eric Fitzgerald wrote: ... >>>negotiating IPSec and the second time I ping the echo reply comes ... (microsoft.public.win2000.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.ms-windows.nt.admin.security  > 2002-05