Log deleted files in Event Viewer

[Chrispybee]

Hi Guys

Does anyone know how or if it's possible to log when a file or files get deleted using windows 2000 server??

Thanks

Chris

[DiGiTaIErRoR]

Yea, you can get programs that monitor disk access.

[Ideas Man]

Absolutly, it's very easy. First turn on Auditing, you do this by going to the Domain Controller Security Policy (Start->Programs->Administrative Tools) for the Domain Controller, if you require for a Server/Computer that is not the DC, tell us.

Expand Computer Configuration->Windows Settings->Security Settings->Local Policies->Audit Policy and set Audit Object Access to Success.

Find the folder/drive that you wish to monitor and right-click it and select Properties->Security->Advanced->Auditing->Add... Enter the usernames of the users you want to monitor for deleting files, if you want to monitor everyone, enter Everyone.

Check Delete and Delete Subfolders and Files in the success column, Click OK, OK, OK.

You should then get an event in the event viewer such as the one below when files are deleted.

Object Open:
Object Server: Security
Object Type: File
Object Name: C:\New Text Document.txt
Handle ID: 1556
Operation ID: {0,5231239}
Process ID: 2592
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: username
Primary Domain: domain
Primary Logon ID: (xxxxx)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
SYNCHRONIZE
ReadAttributes

Privileges: -
Restricted Sid Count: 0


For more information, see Help and Support Center at

[Chrispybee]

Hi Ideas Man,

I want this to work on another server. How would I do this on a 2000 Advanced Server?

[Ideas Man]

Log into the server and click Start-> Run and type in gpedit.msc and click OK. The instructions should be the same. It will work as long as there is no policy set in the domain policy that specifies otherwise.