Can I track who deletes a file on Win2k server?
We have a Win2k file server. When someone deletes a file, what is the Event ID number, and what must be done to see who deletes or moves the file or folder? Is there any software that can track this information?
If object access auditing is turned on, and if the file is being audited for delete, then event 560 will be logged. Event 560 simply means object access, so you may need to examine a number of them to find the right one. Look within the event for the "access" field, which will, in the case of a deletion, include the word DELETE. Look at the Primary User name to see the logon user.
One additional note: Because of the way that a system access control list (SACL) is checked, a SUCCESS event may only indicate that there was an attempt to delete a file. You may need to look a bit more to determine if the attempt was successful. Numerous software packages can be purchased that will aggregate and search through logs looking for specific events. I don't know how extensive your needs and requirements are, but you might take a look first at some free tools.
EventComb is one free utility from Microsoft. The log parser tool is another.
This was first published in July 2003