locked
I want to audit who was login RRS feed

  • Question

  • We have two users who have the permission to login to the win2003 Server. Suppose my few folders are deleted. How can i come to know/track who deleted it
    Any comment will be appreciated ________________________________ Thanks Zahid Haseeb zahidhaseeb.wordpress.com
    Friday, December 10, 2010 12:42 PM

Answers

  • http://support.microsoft.com/kb/814595

    Hi,

    Enable the 'audit active directory object'


    Bruno VERLYNDE
    Friday, December 10, 2010 2:23 PM
  • Hello,

    you have to enable auditing in AD with GPO and then enable folder auditing on the required folder with all needed options. That way you can log who did what on the folder detailed.

    Therefore enable auditing according to this one, copied from another thread:

    -------------------------------------------------------------------------------------------
    Enabling file auditing is a 2-step process.

    [1] Configure "audit object access" in AD Group Policy or on the server's local GPO. This setting is located under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing for "Audit object access."

    [2] Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder-->Properties-->Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file, or you can just audit for Delete operations.

    After you've done both of these steps, any file deletions will show up in the Security log of the file server that hosts those files.

    HTH
    -------------------------------------------------------------------------------------------


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, December 10, 2010 2:38 PM
  • Meinolf's recommendation is correct.  When auditing access to resources such as file and print shares, you not only have to enable it via a GPO and link it to the domain or OU, but you also have to configure the auditing properties for that resource in the Advanced properties of the resource.  You can be as specific as you would like for auduting, such as audit everyone, a group, or just one person.


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, December 10, 2010 4:08 PM

All replies

  • Hi

    you only can see in security log who logged in.

    but cannot see who deleted the folder and what time he did

    the only solution for this you need to buy third party software

    quest software whee you have all auditing record and who logged in who logged out what file has been deleted what time and who delete the file.

     

    thanks


    Naeem Bhatti MCITP EA, MCITP, MCTS Exchange 2007 MCSE security,MCSE AD, MCSE in Messaging, MCDST SBS2003 and SBS2008 Specialist
    Friday, December 10, 2010 1:15 PM
  • http://support.microsoft.com/kb/814595

    Hi,

    Enable the 'audit active directory object'


    Bruno VERLYNDE
    Friday, December 10, 2010 2:23 PM
  • Hello,

    you have to enable auditing in AD with GPO and then enable folder auditing on the required folder with all needed options. That way you can log who did what on the folder detailed.

    Therefore enable auditing according to this one, copied from another thread:

    -------------------------------------------------------------------------------------------
    Enabling file auditing is a 2-step process.

    [1] Configure "audit object access" in AD Group Policy or on the server's local GPO. This setting is located under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing for "Audit object access."

    [2] Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder-->Properties-->Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file, or you can just audit for Delete operations.

    After you've done both of these steps, any file deletions will show up in the Security log of the file server that hosts those files.

    HTH
    -------------------------------------------------------------------------------------------


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, December 10, 2010 2:38 PM
  • Meinolf's recommendation is correct.  When auditing access to resources such as file and print shares, you not only have to enable it via a GPO and link it to the domain or OU, but you also have to configure the auditing properties for that resource in the Advanced properties of the resource.  You can be as specific as you would like for auduting, such as audit everyone, a group, or just one person.


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, December 10, 2010 4:08 PM