Keeping track of who deleted and created files

I received a call on Monday at home from someone at work in a panic because an entire folder on our network drive was missing. I had to recover it from our backups of the previous evening. I thought we had already set it up so we could find out who deletes files and folders, but we didn’t. I finished setting it up yesterday and had to go to four different pages to really get all the info I needed.

From all the reading I did online for how to track this information there are a couple of ways to do it. You can do it in group policy or you can use the auditpol tool if running server 2008. Starting with Server 2008 they added audit categories which allow you to fine tune what you want to see in the event log. With Server 2003 you can only enable an entire class, which could cause a huge amount of useless information to be included. That would defeat the purpose of me wanting to set file auditing to begin with because I wouldn’t want to search through a massive amount of logs for a couple of events.

First, if you are running a server 2003 domain still (I cry a little inside about this being true for us) you’ll need to go into group policy and enable force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. You can find that setting under computer configuration > policies > windows settings > security settings > local policies > security options.

I made the following changes on the file server directly since that’s the only one we care about. To audit when files and folders are deleted or created you want to enable success audits for the file system subcategory under the object access class. Here’s a list of all the classes and subcategories that I found helpful.  If you want to view all of the subcategories and their settings you can type auditpol /get /category:* into a command prompt. To enable this category use this in the command prompt auditpol /set /subcategory:”File System” /success:enable /failure:enable.

The last step is just like setting permissions on folders. Go to the folders you want to monitor, right-click on them and go to properties. Go to the security tab and then click the advanced button. Instead of using the permissions tab we’re using the auditing tab.  Click edit under this tab and add whatever group of users you want to monitor, in my case it was just the domain’s built-in users group since I want to what everybody does on our network share when they create and delete things. Then you can check the boxes for what actions you want to keep track of. In my case it was just the boxes for creating files, creating folders, delete subfolders and files, and delete.

Then you’re done. When you want to go back and check the event log on the file server you’ll see events under the file system category for the boxes you checked.

Next time someone deletes something they aren’t supposed to I can chase them down.

Sources:

  1. Technet forum – Where is my : Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
  2. Technet forum – auditing file share on windows 2008 R2
  3. Technet – Fine Tune Your Security Audit Policies
  4. Technet forum – how can track who deleted file/folder from Windows Server 2008
  5. Technet – Advanced Audit Policy Configuration descriptions

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: