Re: Audit Deleting of files
From: Lynn (anonymous_at_discussions.microsoft.com)
Date: 09/09/04
- Previous message: Sam Kong: "Ignore above message"
- In reply to: Laura E. Hunter \(MVP\): "Re: Audit Deleting of files"
- Next in thread: Steven L Umbach: "Re: Audit Deleting of files"
- Reply: Steven L Umbach: "Re: Audit Deleting of files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 9 Sep 2004 13:37:57 -0700
Thanks Laura,
I just want to confirm...For a machine that is networked
you can't just do an audit on the machine. There has to
be a domain policy right?
>-----Original Message-----
>Configuring auditing is a two-step process. First you
need to configure an
>audit policy for your domain:
>
>To configure an audit policy setting for a domain
controller, follow these
>steps:
> 1.. Click Start, point to Programs, point to
Administrative Tools, and
>then click Active Directory Users and Computers.
> 2.. Click Advanced Features on the View menu.
> 3.. Right-click Domain Controllers, and then click
Properties.
> 4.. Click the Group Policy tab, click Default Domain
Controller Policy,
>and then click Edit.
> 5.. Click Computer Configuration, double-click Windows
Settings,
>double-click Security Settings, double-click Local
Policies, and then
>double-click Audit Policy.
> 6.. In the right pane, right-click Audit Directory
Services Access, and
>then click Security.
> 7.. Click Define These Policy Settings, and then click
to select one or
>both of the following check boxes:
> a.. Success: Click to select this check box to audit
successful attempts
>for the event category.
> b.. Failure: Click to select this check box to audit
failed attempts for
>the event category.
> 8.. Right-click any other event category that you want
to audit, and then
>click Security.
> 9.. Click OK.
> 10.. Because the changes that you make to your
computer's audit policy
>setting take effect only when the policy setting is
propagated (or applied)
>to your computer, complete one of the following steps to
initiate policy
>propagation:
> a.. Type secedit /refreshpolicy machine_policy at the
command prompt,
>press ENTER, and then restart the computer.
>
> -or-
> b.. Wait for automatic policy propagation, which
occurs at regular
>intervals that you can configure. By default, policy
propagation occurs
>every eight hours.
> 11.. Open the Security log to view logged events. NOTE:
If you are either
>a domain or an enterprise administrator, you can enable
security auditing
>for workstations, member servers, and domain controllers
remotely.
>After that, you need to enable the specific folder(s)
that you want to have
>audited:
>
>How To: Set, Remove or Change Auditing for a File or
Folder:
>
>http://support.microsoft.com/default.aspx?scid=kb;EN-
US;301640
>
>
>
>--
>******************************
>Laura E. Hunter - MCSE, MCT, MVP
>Replies to newsgroup only
>
>
>"Lynn" <anonymous@discussions.microsoft.com> wrote in
message
>news:92ce01c496a9$cf376510$a301280a@phx.gbl...
>> Hello All,
>> Is there a way which user (logged in on separate ID's)
are
>> deleting files on a particular machine? We have a
folder
>> on public machine that keeps disappearing. We want to
>> know which logged in user is deleting it. Is there a
way
>> to audit this and find out?
>>
>> Thanks
>> Lynn
>>
>
>
>.
>
- Previous message: Sam Kong: "Ignore above message"
- In reply to: Laura E. Hunter \(MVP\): "Re: Audit Deleting of files"
- Next in thread: Steven L Umbach: "Re: Audit Deleting of files"
- Reply: Steven L Umbach: "Re: Audit Deleting of files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
