Re: Is it possible to find out who deleted a file under W2K/NT??
From: Glen Baumgarten (glen@ispnet.ca)Date: 05/28/02
- Next message: Berk S. Daemon: "Re: which firewall"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Is it possible to find out who deleted a file under W2K/NT??"
- In reply to: Eric Fitzgerald [MSFT]: "Re: Is it possible to find out who deleted a file under W2K/NT??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Glen Baumgarten" <glen@ispnet.ca> Date: Tue, 28 May 2002 15:28:09 -0400
But Larry is in Carling...not Fitzgerald ;)
Sorry. Just a real Nortel trip.
Eric Fitzgerald [MSFT] <ericf@online.microsoft.com> wrote in message
news:3cf3d6ff$1@news.microsoft.com...
> If you had enabled "Object Access / Success" auditing in your machine's
> audit policy, directly or via domain policy, and had set a SACL on the
> object to audit delete accesses to that object, and both of these were
done
> prior to the object's deletion, then you should see a delete event for
that
> object in your security log.
>
> Otherwise, the information on who deleted the object is lost.
>
> Eric
>
> --
> Eric Fitzgerald
> Program Manager, Windows Auditing and Intrusion Detection
> Microsoft Corporation
>
>
> "Truesdale, Larry [GRWAY:X261:EXCH]" <larrytru@americasm01.nt.com> wrote
in
> message news:ad083i$khp$1@bcarh8ab.ca.nortel.com...
> > Hello,
> >
> > A couple of files have been deleted from my Win 2K machine. Is it
> possible
> > to figure out which account was used to deleted them? I'm not
> particularly
> > interested in recovering them, just knowing who deleted them.
> >
> > Thanks!!
> >
> > Larry
> >
> >
>
>
- Next message: Berk S. Daemon: "Re: which firewall"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Is it possible to find out who deleted a file under W2K/NT??"
- In reply to: Eric Fitzgerald [MSFT]: "Re: Is it possible to find out who deleted a file under W2K/NT??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
