Re: Audit Deleting of files
From: Laura E. Hunter \(MVP\) (hunter(nospamplease)_at_sfs.upenn.edu)
Date: 09/09/04
- Next message: anonymous_at_discussions.microsoft.com: "Audit Deleting of files"
- Previous message: Miha Pihler: "Re: Task Scheduler"
- In reply to: Lynn: "Audit Deleting of files"
- Next in thread: Lynn: "Re: Audit Deleting of files"
- Reply: Lynn: "Re: Audit Deleting of files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 9 Sep 2004 16:22:26 -0400
Configuring auditing is a two-step process. First you need to configure an
audit policy for your domain:
To configure an audit policy setting for a domain controller, follow these
steps:
1.. Click Start, point to Programs, point to Administrative Tools, and
then click Active Directory Users and Computers.
2.. Click Advanced Features on the View menu.
3.. Right-click Domain Controllers, and then click Properties.
4.. Click the Group Policy tab, click Default Domain Controller Policy,
and then click Edit.
5.. Click Computer Configuration, double-click Windows Settings,
double-click Security Settings, double-click Local Policies, and then
double-click Audit Policy.
6.. In the right pane, right-click Audit Directory Services Access, and
then click Security.
7.. Click Define These Policy Settings, and then click to select one or
both of the following check boxes:
a.. Success: Click to select this check box to audit successful attempts
for the event category.
b.. Failure: Click to select this check box to audit failed attempts for
the event category.
8.. Right-click any other event category that you want to audit, and then
click Security.
9.. Click OK.
10.. Because the changes that you make to your computer's audit policy
setting take effect only when the policy setting is propagated (or applied)
to your computer, complete one of the following steps to initiate policy
propagation:
a.. Type secedit /refreshpolicy machine_policy at the command prompt,
press ENTER, and then restart the computer.
-or-
b.. Wait for automatic policy propagation, which occurs at regular
intervals that you can configure. By default, policy propagation occurs
every eight hours.
11.. Open the Security log to view logged events. NOTE: If you are either
a domain or an enterprise administrator, you can enable security auditing
for workstations, member servers, and domain controllers remotely.
After that, you need to enable the specific folder(s) that you want to have
audited:
How To: Set, Remove or Change Auditing for a File or Folder:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;301640
-- ****************************** Laura E. Hunter - MCSE, MCT, MVP Replies to newsgroup only "Lynn" <anonymous@discussions.microsoft.com> wrote in message news:92ce01c496a9$cf376510$a301280a@phx.gbl... > Hello All, > Is there a way which user (logged in on separate ID's) are > deleting files on a particular machine? We have a folder > on public machine that keeps disappearing. We want to > know which logged in user is deleting it. Is there a way > to audit this and find out? > > Thanks > Lynn >
- Next message: anonymous_at_discussions.microsoft.com: "Audit Deleting of files"
- Previous message: Miha Pihler: "Re: Task Scheduler"
- In reply to: Lynn: "Audit Deleting of files"
- Next in thread: Lynn: "Re: Audit Deleting of files"
- Reply: Lynn: "Re: Audit Deleting of files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
