Wednesday, December 21, 2011

Trace a deleted file on a server,Track who deleted your files,How to trace a deleted file on a server

SHARE

Trace a deleted file on a server,Track who deleted your files,How to trace a deleted file on a server


Many of our administrators are facing a deleted file on a server especially when its on the file server.
In this article we try to teach you how to trace a deleted file on a server by the user.

This can be accomplished through auditing. Lets start out by identifying what folder we want to watch – and be careful where you turn on auditing…turn it on too many folders with too many options and you can have huge performance issues.

We find the folder we want, and right click on it and go to properties:

Trace a deleted file on a server,Track who deleted your files,How to trace a deleted file on a server


This will bring up the properties page for the folder. Move over to the security tab, and click on the advanced button:

Trace a deleted file on a server,Track who deleted your files,How to trace a deleted file on a server

The advanced page will appear. Click on the Auditing tab, and click the add button:

Trace a deleted file on a server,Track who deleted your files,How to trace a deleted file on a server

A user dialog will come up. I chose to put the “Everyone” group here. This allows me to audit for any possible user account that may be deleting files. If you think you know who it might be…you could put those users here instead. The smaller window of users being audited means better performance.
Trace a deleted file on a server,Track who deleted your files,How to trace a deleted file on a server
Once you click OK, a selection box will be displayed. Again – chose only the options you need. Each additional option will reduce performance. Here I just pick the options to audit deleting files and folders:

Trace a deleted file on a server,Track who deleted your files,How to trace a deleted file on a server

Click OK through all of the windows you have open. If a user deletes a file or folder Windows will write an event to the security log.
Now. We have our auditing turned on, and you get to work one morning and find that files are missing. Simply open the event viewer and move over to the security log. Look for the event ID 560:

Trace a deleted file on a server,Track who deleted your files,How to trace a deleted file on a server

Double click on the event, and you will need to sit there and read it for a little bit to determine who did what. Here is an excerpt from mine (I copied the text from event viewer to notepad for easier reading)
Trace a deleted file on a server,Track who deleted your files,How to trace a deleted file on a server
We can see from this log entry that the user Administrator deleted the file setuperr.log
Now when someone deletes a file, you will have no problem determining who did it.


Trace a deleted file on a server,Track who deleted your files,How to trace a deleted file on a server


SHARE

Author: verified_user

1 comments:

Anonymous said...

Excellent post but I was wanting to know if you could write a
litte more on this subject? I'd be very grateful if you could elaborate a little bit further. Thanks!
Also visit my blog post ; Windows Tablets