does anybody here knows how to identify the username that was used to delete a file from a shared drive in Windows 2003 server? Some of my Important files was deleted permanently good thing i was able to recover using a free undelete program. I have my own domain and all of the people here have their own usernames and profiles.
please share your knowledge.
thanks and more power.
You don't any add-on apps to do that. Windows NT or later system have build-in support.
Part 1 - Pre-configure
1.) go create a new group policy object if you are configuring a group of user within a domain / or if it is stand-alone machine, then open the run dialog from start and type gpedit.msc and press enter key.
2.) With the group policy editor opened, go althrough the path as :
-- Computer Confiiguration -> Windows Settings -> Security Settings ->
Local Policies -> Audit Policy.
3.) Enable the entry `Audit object access`
Part 2 - Common Task
4.) Right-click a folder on which you need to enable access monitoring.
Go through the steps: Security tab -> Advanced button -> Auditing tab -> Add button -> Select a user or group from the `select user or group dialogbox. In this case, you may select `Everyone` for all users.
P.S. Let's me knew if still have any problems
Thanks for the feedback bro. I was able to figure the idea but im confused on what type of access do i need to put. I need to catch the login name together with the time that the file was deleted. There are two type of Auditing access mentioned. successful and failed. what option do i need to select to met my requirements?
thanks and more power.
by the way, I made a user group and placed those usernames that I want to monitor as members of the user group that i made. How will I check for the auditing logs? is there a log report or tool that I need to use?
Basically, that should be depends on your needs.
For the most network environment. This should be both, successfull and failed . Cause admin needs to know who deleted a file and who tried to delete a file.
In you case, should be successful
And, you can go start menu -> Administrative Tools -> Event Viewer
to view the records.
You can go start menu -> Administrative Tools -> Event Viewer
to view the log file or data. (Windows 2000)
Start Menu -> All Programs -> Administrative Tools -> Event Viewer.
If, the Adminstrative Tools does't showed-up
You can one of the following task.
1. ) Start Menu -> Control Panel -> Switch to class view if in windows xp -> Administrative Tools -> Event Viewer
2.) Right-Click the Start Menu -> Properties -> Advanced Tab -> On the bottom half screen, Start Menu Settings, tick the Display Administrative Toos option to turn it on. Finally, Click OK button to close the dialog box. ( I have forgotten the actual location in window xp. But it not too different than this. Just with more section and / or dialog box, as of this writing I'am in windows 2000 for some jobs )
Wish this help.
if any body deleted from network. you cannot recover. they can only delete if here have the detete credentials. check your security settings. and you can audit policy to find the user. it is availble on group policy or local policy...