Click here to get back home

failed/successfull audit delete folder and delete file and folder
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
failed/successfull audit delete folder and delete file and folder steef83 11-15-2006
Posted by steef83 on November 15, 2006, 8:12 am
Please log in for more thread options
 Hi,

I've made a failed/successfull auditing on a folder, because this one
is constantly deleted.
We don't know if it is by a user or trough network problems.
Yesterday the folder was deleted, but we can't find any event of who
deleted it.
When a folder is deleted is also the audit deleted? or did I do
something wrong in the auditing.
Should I audit on a higher level?? \shared\ instead of \shared\...


Posted by Brian Komar [MVP] on November 15, 2006, 9:05 am
Please log in for more thread options
 steef83@gmail.com says...
> Hi,
>
> I've made a failed/successfull auditing on a folder, because this one
> is constantly deleted.
> We don't know if it is by a user or trough network problems.
> Yesterday the folder was deleted, but we can't find any event of who
> deleted it.
> When a folder is deleted is also the audit deleted? or did I do
> something wrong in the auditing.
> Should I audit on a higher level?? \shared\ instead of \shared\...
>
>
A couple of things to check...
1) Did you enable success and failure auditing for object access (this
is required for delete tracking)
2) Did you enable both success and failure auditing for the delete
action
3) Did you apply the delete action audit to the Everyone group. If you
did not encompass everyone, the person performing the deletion may not
be audited.
Brian

Posted by steef83 on November 15, 2006, 9:40 am
Please log in for more thread options

Brian schreef:

> steef83@gmail.com says...
> > Hi,
> >
> > I've made a failed/successfull auditing on a folder, because this one
> > is constantly deleted.
> > We don't know if it is by a user or trough network problems.
> > Yesterday the folder was deleted, but we can't find any event of who
> > deleted it.
> > When a folder is deleted is also the audit deleted? or did I do
> > something wrong in the auditing.
> > Should I audit on a higher level?? \shared\ instead of \shared\...
> >
> >
> A couple of things to check...
> 1) Did you enable success and failure auditing for object access (this
> is required for delete tracking)
> 2) Did you enable both success and failure auditing for the delete
> action
> 3) Did you apply the delete action audit to the Everyone group. If you
> did not encompass everyone, the person performing the deletion may not
> be audited.
> Brian

1) That I don't know
2) Yes
3) Everyone who was defined in the acl including the everyone group.


Posted by Brian Komar [MVP] on November 15, 2006, 12:04 pm
Please log in for more thread options
Then that is definitely the issue. If you do not enable object access
auditing for success and failure, you will receive no reports for
deletion auditing. There is a dependency that does not exist in your
environment.
Brian

steef83@gmail.com says...
>
> Brian schreef:
>
> > steef83@gmail.com says...
> > > Hi,
> > >
> > > I've made a failed/successfull auditing on a folder, because this one
> > > is constantly deleted.
> > > We don't know if it is by a user or trough network problems.
> > > Yesterday the folder was deleted, but we can't find any event of who
> > > deleted it.
> > > When a folder is deleted is also the audit deleted? or did I do
> > > something wrong in the auditing.
> > > Should I audit on a higher level?? \shared\ instead of \shared\...
> > >
> > >
> > A couple of things to check...
> > 1) Did you enable success and failure auditing for object access (this
> > is required for delete tracking)
> > 2) Did you enable both success and failure auditing for the delete
> > action
> > 3) Did you apply the delete action audit to the Everyone group. If you
> > did not encompass everyone, the person performing the deletion may not
> > be audited.
> > Brian
>
> 1) That I don't know
> 2) Yes
> 3) Everyone who was defined in the acl including the everyone group.
>
>

Posted by steef83 on November 16, 2006, 4:23 am
Please log in for more thread options
Brian,

I've got a domain controller and would like to activate the audit
policy for object access.
However our dc wil not audit objects, because it is gray when I open
the properties for audit object access.
Our dc is part of a big domain with multiple dcs'
How can I change it so that I can select succesfull and failed object
access auditing??
Many thanks for your reply


Similar ThreadsPosted
All I want to do is audit "delete" events, but log gets massive: how to do effiecntly? November 3, 2005, 8:59 am
Audit file/folder access February 12, 2007, 10:52 am
Net Share IPC$ /Delete August 3, 2006, 12:57 am
Delete permisions??? March 6, 2007, 1:34 pm
audit folder access, exclude user November 27, 2007, 5:14 pm
How to delete a given "Certificate Store"? January 17, 2006, 12:40 pm
NTFS Rname VS. Delete Permission April 23, 2008, 1:36 am
Delete files with logoff/on script June 3, 2008, 4:42 am
How to Audit windows 2003 folder secrity setting change? January 5, 2006, 10:13 pm
Server has been hacked, need to delete hidden user account May 25, 2007, 5:44 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap