Re: failed/successfull audit delete folder and delete file and folder

Then that is definitely the issue. If you do not enable object access
auditing for success and failure, you will receive no reports for
deletion auditing. There is a dependency that does not exist in your
environment.
Brian

In article <1163601633.325540.227160@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
steef83@xxxxxxxxx says...

Brian schreef:

In article <1163596358.737545.192610@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
steef83@xxxxxxxxx says...
Hi,

I've made a failed/successfull auditing on a folder, because this one
is constantly deleted.
We don't know if it is by a user or trough network problems.
Yesterday the folder was deleted, but we can't find any event of who
deleted it.
When a folder is deleted is also the audit deleted? or did I do
something wrong in the auditing.
Should I audit on a higher level?? \\shared\ instead of \\shared\...


A couple of things to check...
1) Did you enable success and failure auditing for object access (this
is required for delete tracking)
2) Did you enable both success and failure auditing for the delete
action
3) Did you apply the delete action audit to the Everyone group. If you
did not encompass everyone, the person performing the deletion may not
be audited.
Brian

1) That I don't know
2) Yes
3) Everyone who was defined in the acl including the everyone group.


.

Relevant Pages

  • Re: Setting up security etc so Kids can play games...Need Help!!
    ... to enable auditing for access failures by users when running ... this approach involves modifying machine policy, registry ... for object access (enabling auditing for failure should be sufficient, ... modify security settings on the registry keys where failure ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Security settings
    ... to enable the system's own object access auditing feature for any ... suspected file and registry locations that might be accessed by the ... you can then modify the security settings on only those resources to ... > for object access (enabling auditing for failure should be sufficient, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Event ID 577 Filing Security Logs
    ... when auditing failure is enabled for privilege use. ... have auditing of privledge use set for success and failure. ...
    (microsoft.public.windows.server.security)
  • troubleshooting 560 object access failure audit entries
    ... security policy. ... I'm auditing all of my hard disk ... partitions for for "failure" on all events, ... audit" "object access" 560 errors in my security event log. ...
    (microsoft.public.windows.server.general)
  • Audit for deleted files
    ... Enabled audting for'object access' GP object (success and failure) ... Selected auditing on the Company folder, ...
    (microsoft.public.windows.server.sbs)