Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
File/Folder Move Audit on Windows 2003

Answered File/Folder Move Audit on Windows 2003

  • Wednesday, November 14, 2012 6:02 AM
     
     
    Sign In to Vote
    0

    Hello All,

    Am i able to audit file move on a Windows 2003. I have enabled auditing for Create Files/Folders, Write delete subfolder/files, change permissions and take ownership options on the Windows 2003 server.

    <o:p> </o:p>

    I have tested it myself by trying to move a file from the folder im auditing to a subfolder under it and there are no events triggered. But if I try and delete the file it gets logged.

    <o:p> </o:p>

    Can somebody advise if file/folder move can be audited and how I’m meant to analyse file/folder moves on a Windows 2003 server.

    Thanks<o:p></o:p>


    Regards, Arun

     

All Replies

  • Wednesday, November 14, 2012 6:53 AM
    Moderator
     
     Answered
    Sign In to Vote
    1

    Hi Arun,

    The file or folder movement is in fact treated as deletion operation when it comes to auditing.

    When a file/folder is being moved, the MOVE operation deletes the file/folder from the original/source folder and it then creates new file/folder in different/destination folder.

    Look for File/folder delete events and you would be able to track the movements.

    To audit MOVE operation, enable Audit object access policy on the folder/s.

    HTH

    Thanks

    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Whenever you see a helpful reply, click on Alternate Text Vote As Helpful & click on Alternate Text Mark As Answer if a post answers your question.

     
  • Wednesday, November 14, 2012 8:12 AM
     
     Answered
    Sign In to Vote
    1

    Besides to Santosh's post, I suggest you check for Event ID 564 in security log for this.

    http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=564&EvtSrc=Security&LCID=1033

    Regards, Ravikumar P

     
  • Wednesday, November 14, 2012 2:18 PM
     
     Answered
    Sign In to Vote
    1

    Hi Arun,

    Sure.  Here's how it work...first Windows will check to see if the user has the security rights to 'delete' the folder and if so, it will 'Rename/Move' the folder (assuming that it's on the same volume)

    You should be able to configure native file auditing to pick the events up.

    The problem you're going to run into is event log noise, since you'll most likely set up a global SACL as not to miss any folder moves...this will cause a flood in your event log.  If you have an event log monitoring solution (e.g. MOM) you can filter thru all that noise and get what you want.

    If you don't have an event log monitoring solution, I recommend that you look at our product FileSure.  It can do what you need without you having to deal with ACLs or the event log at all.    Many of our customers set up a daily 'Moved/deleted folders' report to be emailed to them.

    HTH,

    Gene


     
  • Saturday, November 17, 2012 10:08 PM
     
     
    Sign In to Vote
    0

    Thanks Guys.

    I will try all your suggestions and will update you.

    Arun

    Regards, Arun