We have a Win2k file server. When someone deletes a file, what is the Event ID number, and what must be done to see who deletes or moves the file or folder? Is there any software that can track this information?
If object access auditing is turned on, and if the file is being audited for delete, then event 560 will be logged. Event 560 simply means object access, so you may need to examine a number of them to find the right one. Look within the event for the "access" field, which will, in the case of a deletion, include the word DELETE. Look at the Primary User name to see the logon user.
One additional note: Because of the way that a system access control list (SACL) is checked, a SUCCESS event may
only indicate that there was an attempt to delete a file. You may need to look a bit more to determine if the attempt was successful. Numerous software packages can be purchased that will aggregate and search through logs looking for specific events. I don't know how extensive your needs and requirements are, but you might take a look first at some free tools.
EventComb is one free utility from Microsoft. The log parser tool is another.
Dig deeper on User passwords and network permissions
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.