none
What is Auditing by default for SysVol folder in multiple domain and How to find who deleted files and folders from sysvol \ group policy \ folder redirection \ desktop

    General discussion

  • Hi Techies,

    I have strange issue with my one of my domain group policy users.

    1) Users complained saying desktop items are not there .

    2) When i checked it desktop items were not there in %logonserver%\netlogon\GP_Fld_Redirection\abc\desktop\

    3) There was no issue with the GP setting.

    4) After restoring desktop items from backup, Desktop Items were visible

    Now the question are as folllows

    • How to check who has deleted or removed desktop items from that location.
    • How to see the audit logs for sysvol folder. When i checked in event viewer with 4660 event id nothing found.
    • Is sysvold folder will have by default delete object audit policy enabled
    • In DC default domain policy enable for Failure and Success for Object access.
    • I even checked with Event 5143 ID. but no luck  
    • Now i have to submit Root cause analysis report. Please help me.


    With Regards, Raviraj Nagenhatti - System Administrator


    Thursday, September 10, 2015 5:57 PM

All replies

  • Hi Raviraj Nagenhatti,
    Thanks for your post.

    May I also ask does the problem only happen to the account log on the computer? Have the user tried to log on to other computer to have the test? Or other users log on the special computer?

    And is the user profile roaming profile? Does it need to sync when login?

    This issue can also be caused by deleting a user profile. So in your scenairo, you may also check if it is related to the corrupt profile.

    For audit sysvol folder, you may follow the steps below
    Set auditing on SYSVOL
    1.Navigate to the %systemroot%\SYSVOL folder
    2.Open the properties of the domain folder and navigate to the Auditing tab
    3.Create a SACL entry which audits Everyone, applies to This folder, subfolders and files for Successful accesses of type Create files / Write data, Create folders / append data, Delete subfolders and files, Delete, and Change permissions.
    Please refer to the article for more details.
    http://blogs.msdn.com/b/canberrapfe/archive/2012/05/02/auditing-group-policy-changes.aspx

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 11, 2015 5:59 AM
    Moderator
  • Hi Mary,

    Thanks for your reply.

    This issue happened to all the users and not particular.  There is no roaming profile assigned.

    By default SYSVOL folder has delete audit policy is enabled,

    Now i want to know who has deleted the desktop ITEMS from the sysvol folder

    Now the question are as folllows

    • How to check who has deleted or removed desktop items from that location.
    • How to see the audit logs for sysvol folder. When i checked in event viewer with 4660 event id nothing found.
    • Is sysvold folder will have by default delete object audit policy enabled
    • In DC default domain policy enable for Failure and Success for Object access.
    • I even checked with Event 5143 ID. but no luck  
    • Now i have to submit Root cause analysis report. Please help me.


    With Regards, Raviraj Nagenhatti - System Administrator

    Monday, September 14, 2015 9:29 AM
  • Hi Techies,

    Any forensic tool is there where i can find who deleted or any change from sysvol, ntds, and share folders.  As in Forest there are many AD servers sharing sysvol. '

    I checked in my case there are many AD servers and from sysvol\gpredirectionfolder\GP-Project\  folder Desktop icons were missing. 

    When i checked whether Audit is enabled for Sysvol folder.  I can see it is enable as delete.

    Request all techies to give me a solution for this.


    With Regards, Raviraj Nagenhatti - System Administrator

    Tuesday, September 15, 2015 1:26 PM
  • Hi Techies,

    I enabled advance auditing group policy (Default Domain Controller Policy) to track the changes on Domain controller.


    With Regards, Raviraj Nagenhatti - System Administrator

    Tuesday, October 20, 2015 9:51 AM