Re: Auditing file deletion

From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
Date: Thu, 6 Apr 2006 10:54:52 +0100

Thanks Steven,

The problem is that hundreds of other Object Access events get logged, not
just the file and directory deletions.

Nick

"Steven Zhu [MSFT]" <v-stezhu@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:Dsc3KnSWGHA.3700@xxxxxxxxxxxxxxxxxxxxxxxx

Hi Nick,

Thanks for posting here.

From your post, my understanding on this issue is: you configure auditing
for some file and directory deletions, but you cannot seem any log
regarding this in the security event log. If I am off base, please feel
free to let me know.

Based on my knowledge, if you want to configure auditing for file and
directory deletions, please enable Audit Object Access success/failure in
Default Domain Controllers Policy. To do so, please refer to the following
steps:

1. Click Start, point to Programs, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. On the View menu, click Advanced Features.
3. Right-click Domain Controllers, click Properties.
4. Click the Group Policy tab, click Default Domain Controller Policy, and
then click Edit.
5. Click Computer Configuration, double-click Windows Settings,
double-click Security Settings, and double-click Local Policies, and then
double-click Audit Policy.
6. In the right pane, right-click Audit Object Access, click Properties.
7. Click Define These Policy Settings, and then click to select one or
both
of the following check boxes:
- Success: Click to select this check box to audit successful attempts for
the event category.
- Failure: Click to select this check box to audit failed attempts for the
event category.
8. Click OK.

Note: Because the changes that you make to your computer's audit policy
setting take effect only when the policy setting is propagated or applied
to your computer, complete either of the following steps to initiate
policy
propagation:
- Type gpupdate /Target:computer at the command prompt, and then press
ENTER.
- Wait for automatic policy propagation that occurs at regular intervals
that you can configure. By default, policy propagation occurs every five
minutes.

Also, please enable specify the files and folders that you want audited.
To
do so:

1. In Windows Explorer, locate the file or folder you want to audit.
Right-click the file and folder you want to audit, and then click
Properties.

2. Click the Security tab, and then click Advanced.

3. Click the Auditing tab, and then click Add.

4. In the Enter the object name to select box, type the name of the user
or
group whose access you want to audit. You can browse the computer for
names
by clicking Advanced, and then clicking Find Now in the Select User or
Group dialog box.

5. Click OK.

6. Select the Successful or Failed check boxes for the actions you want to
audit, and then click OK.

7. Click OK twice.

Finally, you can open the Security log to view logged events.
Additionally,
if you are either a domain or an enterprise administrator, you can enable
security auditing for workstations, member servers, and domain controllers
remotely.

I hope the above information helps.

Have a nice day.

Best Regards,

Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
======================================================

Follow-Ups:
- Re: Auditing file deletion
  - From: Steven Zhu [MSFT]
- Re: Auditing file deletion
  - From: Dana Epp

References:
- Auditing file deletion
  - From: NickC
- RE: Auditing file deletion
  - From: Steven Zhu [MSFT]

Prev by Date: RE: Strange Backup problem
Next by Date: Re: SBS Issues
Previous by thread: RE: Auditing file deletion
Next by thread: Re: Auditing file deletion
Index(es):
- Date
- Thread

Relevant Pages

Re: Event 560 SC Manager
... I have disabled the audit object access in group policy but we still ... the failure audit error is related to object access. ... These audit error occurs because the "audit object access" policy has been ... Disabling this policy ...
(microsoft.public.windows.server.sbs)
Re: Event 560 SC Manager
... I have disabled the audit object access in group policy but we still ... the failure audit error is related to object access. ... These audit error occurs because the "audit object access" policy has been ... Disabling this policy ...
(microsoft.public.windows.server.sbs)
Re: Audit Object Access
... I only enable "Aduit Object Access" in Local Security policy and run Secedit ... No file/folder is set to audit at the moment. ...
(microsoft.public.win2000.security)
Re: Suspicious User in AD
... Roger described how to audit for an individual user for AD object access but ... in Domain Controller Security Policy. ... right, or changes audit policy. ... > I think a user may be making changes to Active Directory. ...
(microsoft.public.windows.server.security)
RE: Auditing file deletion
... regarding this in the security event log. ... Default Domain Controllers Policy. ... Click Computer Configuration, double-click Windows Settings, ... double-click Audit Policy. ...
(microsoft.public.windows.server.sbs)