Re: How to monitoring who has deleted a NTFS folder

From: ] (dlaflotte_at_criticalsites.com)
Date: 05/24/05

Next message: Roger Abell: "Re: How to monitoring who has deleted a NTFS folder"
Previous message: you know who maybe: "Which persmisison to rename domain workstation"
In reply to: Arminio Andrei: "How to monitoring who has deleted a NTFS folder"
Next in thread: Roger Abell: "Re: How to monitoring who has deleted a NTFS folder"
Reply: Roger Abell: "Re: How to monitoring who has deleted a NTFS folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 24 May 2005 17:35:05 -0400

Arminio,
I know you said audit policies don't solve the problem. I was
wondering if you could explain a bit more as to why they dont?
Below I've listed a method for monitoring folders that are deleted by users.
The way to do this is to use a Local Security Policy.
1. Run secpol.msc
2. Goto Security Settings > Local Policies > Audit Policy
3. Change Audit object access to audit success and failure
4. goto the parent directory above the directory you want to audit for
deletion. Goto the auditing tab and audit for success of Delete Subfolders
and files.
5. Now when a user deletes any subfolders you will get an entry in your
event viewer under the security logs with event ID 560 & 567.

ID 560 shows the folder that was deleted and ID 567 shows the type of
operation done on that folder (DELETE).

Good Luck,
Duane Laflotte
MCSE, MCSD, MCDBA, MCSA, MCT, MCP+I
dlaflotte@criticalsites.com

"Arminio Andrei" <a_arminio@yahoo.com> wrote in message
news:etYw1%23IYFHA.2128@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> Is there any way to monitore a NTFS directory structure
> to find what user has just delete a partuculary folder(s) or
> file(s) and log this actions? An audit policy dosen't solve the problem!
>
> Thanks
>
>

Next message: Roger Abell: "Re: How to monitoring who has deleted a NTFS folder"
Previous message: you know who maybe: "Which persmisison to rename domain workstation"
In reply to: Arminio Andrei: "How to monitoring who has deleted a NTFS folder"
Next in thread: Roger Abell: "Re: How to monitoring who has deleted a NTFS folder"
Reply: Roger Abell: "Re: How to monitoring who has deleted a NTFS folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Domain Security Policy
... On Win2K Server, I have enabled some of the Audit Policies under Local ... Policies in Domain Security Policy. ...
(microsoft.public.win2000.advanced_server)
Re: no audit of logon events in xp home?
... Shenan wrote: ... >> i want to turn of the audit of logon events in winxp home. ... "Audit policies on a computer running Windows XP Home Edition and ...
(microsoft.public.windowsxp.security_admin)
Auditing Failed Logons
... logon attempts checked as one of our audit policies on our ... When I audit the PDC I do not see any 529 Event ID's, ...
(microsoft.public.security)
"Enter Network Password" popup on all IE pages
... gave up last night on this and began reimaging server. ... The audit policy on that local ... objects and they all read Ok as to the audit policy. ... >domain workstation accounts. ...
(microsoft.public.win2000.group_policy)
Re: setting up an audit.
... Audit can be configured in a Group Policy, You may have a look at the links ... This module describes how to set different settings that apply to auditing. ... Threats and Countermeasures Guide - Audit Policy ... Microsoft Windows XP - Audit Policy ...
(microsoft.public.windows.group_policy)