Re: Audit to track moving of folders

---

• From: "Gerry Armstrong" <gerrya@xxxxxxxxxxx>
• Date: Thu, 15 Dec 2005 13:17:07 -0400

---

Thanks Charles, I will have to spend some time playing around with this to
be able to get what I want out of it. I would have thought it would have
been something easier to do but I guess not enough people want to be able to
do this so it is not a priority.

Thanks for your help anyway.

""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:ARAMTi6%23FHA.552@xxxxxxxxxxxxxxxxxxxxxxxx
> HI Gerry,
>
> Welcome to SBS newsgroup.
>
> Issue description:
> =============
>
> I understand that you want to know how to audit the moving action on the
> SBS server.
>
> Analyzing and suggestion"
> ==============
>
> Based on my research, I would like to provide the following suggestions:
>
> 1. Enable auditing on necessary events.
>
> Generally speaking, a "move" operation can be considered the combination
> of
> a "write" and a "delete" operation.
>
> Therefore, to optimize the auditing performance, please can only enable
> "Success" Audit object access, and only monitor the following activities
> on
> the files/subfolders contained in the share:
>
> "Delete"
> "Create Files / Write Data"
> "Create Folders / Append Data"
>
> 2. Efficiently check event log:
>
> This is a bit complicated because there is a large number of data access
> on
> the folder and generally one operation could cause multiple audits.
>
> We can try enabling filters on event log. To do so:
>
> 1. Right-click the Security event log and choose Properties.
> 2. Select the Filter tab.
> 3. Select the Success check box.
> 4. Input "560" (without quotations) in the "Event ID" edit box.
> 5. Click OK.
> 6. Then only the related event will be displayed.
>
> Please note that the auditing events logged at the same time can generally
> be considered a single operation. Please note that if you want to monitor
> the issue on the Windows 2003 standard server, you can check the auditing
> event on the Windows 2003 server for the event 560.
>
> If you want some more convenient tools, it seem you might have to search
> the internet to see if you can find some third party tools that can
> satisfy
> your goal. We have no such tools other than auditing function on the event
> view.
>
> I really appreciate your effort on this issue; please feel free to post
> back. I am glad to be of assistance.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "Gerry Armstrong" <gerrya@xxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.sbs
> | Subject: Audit to track moving of folders
> | Date: Wed, 7 Dec 2005 08:45:32 -0400
> | Organization: Posted via Supernews, http://www.supernews.com
> | Message-ID: <11pdmb1m7i9do3c@xxxxxxxxxxxxxxxxxx>
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
> | X-RFC2646: Format=Flowed; Original
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
> | X-Complaints-To: abuse@xxxxxxxxxxxxx
> | Lines: 12
> | Path:
> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
> ne.de!border2.nntp.dca.giganews.com!nntp.giganews.com!sn-xit-15!sn-xit-09!sn
> -xit-08!sn-post-01!supernews.com!corp.supernews.com!not-for-mail
> | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:228382
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | I have a problem with folders in a shared directory on a SBS2003 server
> | being moved by one of the users and I need to know who is responsible
> for
> | moving these folders. I understand that I can use Auditing to track
> various
> | types of information which will relate to this problem but I need some
> help
> | in configuring this.
> | What I would like to do is to be able to see who moved a folder from one
> | location to another within a share on the SBS2003 server as well as on a
> | Standard Windows 2003 server which is also a part of the domain (and
> | configured as a domain controller as well). Can you guys tell me what is
> the
> | best way of doing this?
> |
> |
> |
>


.

---

• Follow-Ups:
  • Re: Audit to track moving of folders
    • From: "Charles Yang [MSFT]"

• References:
  • Audit to track moving of folders
    • From: Gerry Armstrong
  • RE: Audit to track moving of folders
    • From: "Charles Yang [MSFT]"

• Prev by Date: Re: Last nights Microsoft updates
• Next by Date: Re: How do I catalog a Tape HELP!!
• Previous by thread: RE: Audit to track moving of folders
• Next by thread: Re: Audit to track moving of folders
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Audit to track moving of folders ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... | Subject: Re: Audit to track moving of folders ... Enable auditing on necessary events. ... (microsoft.public.windows.server.sbs) RE: Sharepoint upload question ... Distributed File System (DFS) allows administrators to group shared folders ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs) RE: ISA 2004 REPORT FAILURE ... Did as you suggested and turned auditing on for the system and folders ... that is setting the wrong permissions of the folders ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs) Re: Outlook 2003 ... files by ticking the option "Show hidden files and folders". ... Then please test to see if you can find the .nk2 file. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs) RE: Offline Files and Folders ... open a file from a network location ... Microsoft CSS Online Newsgroup Support ... <Thread-Topic: Offline Files and Folders ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)