HELP - What log will tell who is deleting files?

Every second week we get about 30G of data that mysteriously"disappears.
Luckily our backups are pretty good and we can restore but it's only a
matter of time till we lose some data.
I figure the accessing and deletion can be logged but I'm not sure how to go
about it.
Can someone help please?

Mark

 

Hello Clubsprint,

From another posting, how to enable auditing for files folders:
-------------------------------------------------------------------------------------------
Enabling file auditing is a 2-step process.

[1] Configure "audit object access" in AD Group Policy or on the server's
local GPO. This setting is located under Computer Configuration-->Windows
Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure
auditing for "Audit object access."

[2] Configure an audit entry on the specific folder(s) that you wish to audit.
Right-click on the folder-->Properties-->Advanced. From the Auditing tab,
click Add, then enter the users/groups whom you wish to audit and what actions
you wish to audit - auditing Full Control will create an audit entry every
time anyone opens/changes/closes/deletes a file, or you can just audit for
Delete operations.

After you've done both of these steps, any file deletions will show up in
the Security log of the file server that hosts those files.

HTH
-------------------------------------------------------------------------------------------

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!

<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Every second week we get about 30G of data that
> mysteriously"disappears.
> Luckily our backups are pretty good and we can restore but it's only a
> matter of time till we lose some data.
> I figure the accessing and deletion can be logged but I'm not sure how
> to go
> about it.
> Can someone help please?
> Mark
> <!--colorc--><!--/colorc-->

 

Clubsprint wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Every second week we get about 30G of data that mysteriously"disappears.
> Luckily our backups are pretty good and we can restore but it's only a
> matter of time till we lose some data.
> I figure the accessing and deletion can be logged but I'm not sure how to go
> about it.
> Can someone help please?
>
> Mark
>
>
> <!--colorc--><!--/colorc-->

Have you checked for a scheduled task running?

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services

 

Clubsprint <spamspamspamspam@nospam.com> wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Every second week we get about 30G of data that
> mysteriously"disappears. Luckily our backups are pretty good and we
> can restore but it's only a matter of time till we lose some data.
> I figure the accessing and deletion can be logged but I'm not sure
> how to go about it.
> Can someone help please?
>
> Mark<!--colorc--><!--/colorc-->

In addition to the other replies ...

Is this really that predictable? Same folders? Literally every two weeks?

Are you 100% sure some user hasn't accidentally dragged the stuff into
another subfolder?

 

Thanks all for your responses.
I've now enabled auditing on the directory.
It's not a scheduled as it is random times and directories within the
business unit drive.
I'm actually pretty sure it's the support guy on site. He hates his job and
most of the staff but he just wont leave.
He's done a bunch of other things (unplugging routers/switches, turning off
servers after hours, deleting DNS entries, etc)
I'm just hoping it's him so I can kick him out the door.
I'll post back the result.

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:uOMaOBGQKHA.1280@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> Clubsprint <spamspamspamspam@nospam.com> wrote:<!--coloro:green--><span style="color:green <!--/coloro-->
>> Every second week we get about 30G of data that
>> mysteriously"disappears. Luckily our backups are pretty good and we
>> can restore but it's only a matter of time till we lose some data.
>> I figure the accessing and deletion can be logged but I'm not sure
>> how to go about it.
>> Can someone help please?
>>
>> Mark<!--colorc--><!--/colorc-->
>
> In addition to the other replies ...
>
> Is this really that predictable? Same folders? Literally every two weeks?
>
> Are you 100% sure some user hasn't accidentally dragged the stuff into
> another subfolder?
> <!--colorc--><!--/colorc-->

 

"Clubsprint" <spamspamspamspam@nospam.com> wrote in message
news:hajlei$3ir$1@news-01.bur.connect.com.au...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Thanks all for your responses.
> I've now enabled auditing on the directory.
> It's not a scheduled as it is random times and directories within the
> business unit drive.
> I'm actually pretty sure it's the support guy on site. He hates his job
> and most of the staff but he just wont leave.
> He's done a bunch of other things (unplugging routers/switches, turning
> off servers after hours, deleting DNS entries, etc)
> I'm just hoping it's him so I can kick him out the door.
> I'll post back the result.
><!--colorc--><!--/colorc-->

Hmm, a drama! You've got me following this thread now, to see the outcome.-)

Is it him, or is it someone else that thinks making these changes would
point the finger to him to get rid of him....

Ace

 

Oh I KNOW it's him. Haven't got legal action level proof but I'll egt there.
I'll post some more info when I have some time. I'm thinking about
installing a keylogger on his PC.
Eitherhe gets booted or leaves of his own volition I don't car. Going out to
his site now so I'll be
re-inforcing his negative comments about his job. I don't need some-one
making more trouble.
Enough happens naturally.


"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:%23lVo818RKHA.1796@TK2MSFTNGP02.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "Clubsprint" <spamspamspamspam@nospam.com> wrote in message
> news:hajlei$3ir$1@news-01.bur.connect.com.au...
>
> Hmm, a drama! You've got me following this thread now, to see the
> outcome.-)
>
> Is it him, or is it someone else that thinks making these changes would
> point the finger to him to get rid of him....
>
> Ace
>
>
> <!--colorc--><!--/colorc-->

 

"Clubsprint" <spamspamspamspam@nospam.com> wrote in message
news:ham6ed$jpn$1@news-01.bur.connect.com.au...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Oh I KNOW it's him. Haven't got legal action level proof but I'll egt
> there.
> I'll post some more info when I have some time. I'm thinking about
> installing a keylogger on his PC.
> Eitherhe gets booted or leaves of his own volition I don't car. Going out
> to his site now so I'll be
> re-inforcing his negative comments about his job. I don't need some-one
> making more trouble.
> Enough happens naturally.
><!--colorc--><!--/colorc-->

Keep us updated! You can possibly even start a Twitter who-dun-it on this,
such as the way Brent Spiner does with his tweets.

Ace