locked
How to Know who Deleted Your Share Folder Data in Windows Server 2008 RRS feed

  • Question

  • Dears,


    I have Windows Server for file server and share folder, I have created some shred folders for our departments, based on their request I put specific names belong to department into share folders those users only has access for the share folder, for some unknown reason some one has deleted all the data inside share folder in the file server, my question is how can I monitor or know who is deleted the information inside share folder because I have more than one user it has access on the share folder, is there any way to know that like log files or any other solutions? thanks in advance..


    Thanks.

    Thursday, May 8, 2014 12:49 PM

Answers

  • Auditing access of shared folder will show you : who deleted shared folder data.
    You can follow below steps :

    Open Group Policy Editor by typing gpedit.msc to Start menu's search field or Run dialog window and hit Enter.
    Go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies Audit Policy, double click to open Audit Object Access.

    Please refer to below links :http://roberttechnicalblog.blogspot.in/2010/02/auditing-shared-folder.html

    And, http://www.sevenforums.com/tutorials/123362-audit-log-access-shared-folders.html

    Meanwhile, you can also have a look at this proficient application(http://www.fileserverauditor.com/) which looks an exact solution to accomplish auditing task in windows server. It will notify you about all changes made in windows server by sending a customized emails with real time alerts so that you can take required action while need in your working environment.


    Friday, May 9, 2014 8:38 AM
  • Hi,

    1. Enable Audit on your file server and you need enable Audit policy as well in Group Policy. See:

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/dd0f78d0-e39c-4ea6-9087-9250694b9a90/

    2. I mentioned PowerShell is to help you find a way to set Audit in more folders with a cmdlet instead of manually set it per folder.

    3. If you are going to Audit specific users, add users or user group.


    If you have any feedback on our support, please send to tnfsl@microsoft.com.

    Wednesday, May 21, 2014 1:56 AM

All replies

  • There is a post right next to this one on the same subject:  Windows 2008 R2 DFS File Deletion Auditing
    Thursday, May 8, 2014 12:53 PM
  • You might be able to get away with Windows Native File Auditing for this since it's only one folder and if you only turn on the Delete SACL.  Here's a video I did that explains how to use Windows Native auditing: https://www.youtube.com/watch?v=8Lot58yAEKM

    There are also 3rd party tools like ours (www.bystorm.com) that can also tell you want you need to know and it's easier to set up and use.

    The FileSure trial is fully functional and works for 21 days.  You might be able to just install the trial and catch whoever is deleting the files before the trial runs out. :)

    Good luck!

    Gene

    Thursday, May 8, 2014 2:44 PM
  • Auditing access of shared folder will show you : who deleted shared folder data.
    You can follow below steps :

    Open Group Policy Editor by typing gpedit.msc to Start menu's search field or Run dialog window and hit Enter.
    Go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies Audit Policy, double click to open Audit Object Access.

    Please refer to below links :http://roberttechnicalblog.blogspot.in/2010/02/auditing-shared-folder.html

    And, http://www.sevenforums.com/tutorials/123362-audit-log-access-shared-folders.html

    Meanwhile, you can also have a look at this proficient application(http://www.fileserverauditor.com/) which looks an exact solution to accomplish auditing task in windows server. It will notify you about all changes made in windows server by sending a customized emails with real time alerts so that you can take required action while need in your working environment.


    Friday, May 9, 2014 8:38 AM
  • Thanks for all articles, but our company already created share folders and gave all users access based on their request, so if I do your ways I have to go to add one by one which is taking a lot of times, is there a way to deploy on all the share folders one time? 
    Sunday, May 11, 2014 7:29 AM
  • Maybe try with PowerShell cmdlet to do the batch job. Here are 2 pages with similar information regarding PowerShell:

    http://blogs.technet.com/b/bulentozkir/archive/2009/12/26/bir-dizinde-folder-everyone-i-in-auditing-i-aktif-eden-rnek-powershell-scripti.aspx

    http://social.msdn.microsoft.com/Forums/en-US/f7c052dd-4141-4ba3-a86b-37948312e130/enabling-auditing-with-powershell?forum=sharepointgeneralprevious


    If you have any feedback on our support, please send to tnfsl@microsoft.com.

    Tuesday, May 13, 2014 2:59 AM
  • Thanks, but my question is shall I enable auditing in AD server on file share server? Second question, as I mentioned in my previous question my problem is I have more that 100 sharde folders in our file share server, I have to add users in security - advance - audit users who has permission one by one, is there a way to make short to do not add them one by one, or if I add everyone in security - advance - audit it will include everyone or just the users who already has access in this share folder, thanks in advance.
    Tuesday, May 13, 2014 5:53 AM
  • Hi,

    1. Enable Audit on your file server and you need enable Audit policy as well in Group Policy. See:

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/dd0f78d0-e39c-4ea6-9087-9250694b9a90/

    2. I mentioned PowerShell is to help you find a way to set Audit in more folders with a cmdlet instead of manually set it per folder.

    3. If you are going to Audit specific users, add users or user group.


    If you have any feedback on our support, please send to tnfsl@microsoft.com.

    Wednesday, May 21, 2014 1:56 AM