Keeping track of who deleted and created files

I received a call on Monday at home from someone at work in a panic because an entire folder on our network drive was missing. I had to recover it from our backups of the previous evening. I thought we had already set it up so we could find out who deletes files and folders, but we didn’t. I finished setting it up yesterday and had to go to four different pages to really get all the info I needed.

From all the reading I did online for how to track this information there are a couple of ways to do it. You can do it in group policy or you can use the auditpol tool if running server 2008. Starting with Server 2008 they added audit categories which allow you to fine tune what you want to see in the event log. With Server 2003 you can only enable an entire class, which could cause a huge amount of useless information to be included. That would defeat the purpose of me wanting to set file auditing to begin with because I wouldn’t want to search through a massive amount of logs for a couple of events.

First, if you are running a server 2003 domain still (I cry a little inside about this being true for us) you’ll need to go into group policy and enable force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. You can find that setting under computer configuration > policies > windows settings > security settings > local policies > security options.

I made the following changes on the file server directly since that’s the only one we care about. To audit when files and folders are deleted or created you want to enable success audits for the file system subcategory under the object access class. Here’s a list of all the classes and subcategories that I found helpful.  If you want to view all of the subcategories and their settings you can type auditpol /get /category:* into a command prompt. To enable this category use this in the command prompt auditpol /set /subcategory:”File System” /success:enable /failure:enable.

The last step is just like setting permissions on folders. Go to the folders you want to monitor, right-click on them and go to properties. Go to the security tab and then click the advanced button. Instead of using the permissions tab we’re using the auditing tab.  Click edit under this tab and add whatever group of users you want to monitor, in my case it was just the domain’s built-in users group since I want to what everybody does on our network share when they create and delete things. Then you can check the boxes for what actions you want to keep track of. In my case it was just the boxes for creating files, creating folders, delete subfolders and files, and delete.

Then you’re done. When you want to go back and check the event log on the file server you’ll see events under the file system category for the boxes you checked.

Next time someone deletes something they aren’t supposed to I can chase them down.

Sources:

1. Technet forum – Where is my : Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
2. Technet forum – auditing file share on windows 2008 R2
3. Technet – Fine Tune Your Security Audit Policies
4. Technet forum – how can track who deleted file/folder from Windows Server 2008
5. Technet – Advanced Audit Policy Configuration descriptions

Group policy – create a central store

I’m forever tweaking our group policy settings as I read more and more about it and how to manage Windows 7 machines along with Windows XP machines. Adding some admin templates to the group policy settings is what set me on this path again.  I read about creating a central store on the domain controller making it easier to manage the settings and reducing the amount of duplication on the servers. But I also found another post saying that it may cause some problems. So I guess I’ll find out. It’s super easy to create a central store so I can also go back and remove it if I need to.

I found this awesome video that was really helpful. For some reason, reading how to do it kept confusing me.

1. Go to your domain controller, go to your run menu and type in \\{domain name}\SYSVOL\{domain name}\policies
2. Go to run again and type in %systemroot%
3. Find the PolicyDefinitions folder and copy it.
4. Go back to your policies folder that we opened in the first step and paste the entire PolicyDefinitions into the folder.
5. Your central store is now created

If you open your group policy management editor and click on the administrative templates folder under either computer or user configuration, you’ll now see that it is retrieving them from the central store. Now if you download new templates to manage various settings or programs, you’ll copy them into that new central store folder to add them to group policy.

If you are needing to use the old ADM template files to manage older settings you’ll need to copy those files into the central store and then go to group policy management editor, right-click on administrative templates, and them add/remove templates to manually import those. I need to be able to manage Office 2003 since our XP machines are still running that. They didn’t automatically load into group policy management after I copied them into the central store.

Sources:

• Creating a Group Policy Central Store for Windows Vista and Server 2008
• Windows 7, Windows Server 2008 R2 and the Group Policy Central Store
• Created GPO Central Store –can/should .ADM files be saved there as well?

Deploy printers using group policy

I should say that this is for a mixed environment. It was such a pain for me to figure this out because we have machines running Windows XP and some machines running Windows 7. Some parts of the policies are ignored by the Windows 7 machines if I do manage group policy on our Server 2003 DC so I had to figure out how to do get this going on Server 2008 and find the settings that would work for both operating systems.

I’ve recently deployed new computers and cascaded the computers that were replaced down to other locations to get rid of the really old ones. I really hated having to install all the printers under every single user account so I decided to look into how to configure group policy to deploy them. My office is small enough that I can deploy all the printers to every user and not have to worry about separating them by OU. They can set the default printers themselves. As long as I don’t have to deal with installing them every time we replace a computer or every time we get an Intern, I’ll be happy.

We have one Server 2008 box with the rest being Server 2003. Since half of our workstations are Windows 7 I’ll be using Server 2008 to configure and deploy group policy. One thing you’re going to want to make sure of is that all the workstations have the group policy preference client side extensions. You’ll need them for any machines that are running Windows XP or Vista. You can also select the client side extensions when you look at the optional updates on the Windows Update site. I really hope you don’t have any machines running Vista. I thought I installed them on Windows 7 too, but I just looked and apparently it wasn’t necessary.

These steps will allow you to manage printers from your server 2008 box without actually making it a print server.

• Go to server management, either through administrative tools menu or just type it into the search bar.

• Click on features and then add features on the right.

• Find remote server administration tools and expand that list, expand role administration tools. Then find print services tools and check the box. Go through the installation, it does not require a reboot, but it does take its sweet time finishing.

• Now you can go to print management and select the server(s) you want as the print server(s). I removed the local server since I just want to use this server as the manager.

• After you’ve added the servers you’ll see them in the left panel.  Click on the appropriate server, click on printers and from here you’ll select which printers to deploy using group policy by right-clicking on the printer and selecting deploy using group policy.

• In the window that pops up, go to browse and find the policy you want to assign the printer to. Check the box for either a per user setup or per computer. I don’t really know the pros and cons, but the way our policies are set up it’s easier for me to select per user.

• Make sure you click the add button below that to make it show up in the bottom area. I kept hitting OK and then wondering why there wasn’t some sort of confirmation, duh. I made the mistake of starting to configure this before I had my coffee this morning. After you hit OK or apply, it will hopefully say it was successfully assigned.

Since my users do not have admin privileges on their machines I need to find a way to allow the drivers for the printers to install without prompting for admin credentials. There are a couple places on the group policy you need to go to for this setting so that it takes effect for both Windows 7 and Windows XP machines.

• Computer configuration -> policies -> windows settings -> security settings -> local policies -> security options -> Devices: Prevent users from installing printer drivers: Disabled

Some people may not want to uncheck that box, but after having to go down the hall to type my credentials in so many times, I’m fine with it.

• The other location is user configuration -> policies -> administrative templates -> control panel -> printers -> point and print restrictions: enabled

• Make sure the top 2 boxes are unchecked and select “do not show warning or elevation prompt” and “show warning only” for the drop down lists.

After all this the printers should install for all users or computers, depending on how you assigned them. I’m hoping it’ll stop me from getting phone calls about having to enter my credentials in for the Windows 7 machines.

I just had someone test it for me by logging into a Windows 7 machine they hadn’t logged into before and it worked. I watched the printers pop up under devices and printers without prompting for admin credentials. This will save me so much time.

Sources:

• Print Management Step-by-Step Guide
• Deploy Printer Connections
• Change Driver Installation Security for Printers Deployed Using Group Policy
• Printer deployment: per user or per computer?