Ask the Expert

Can I track who deletes a file on Win2k server?

We have a Win2k file server. When someone deletes a file, what is the Event ID number, and what must be done to see who deletes or moves the file or folder? Is there any software that can track this information?
If object access auditing is turned on, and if the file is being audited for delete, then event 560 will be logged. Event 560 simply means object access, so you may need to examine a number of them to find the right one. Look within the event for the "access" field, which will, in the case of a deletion, include the word DELETE. Look at the Primary User name to see the logon user.

One additional note: Because of the way that a system access control list (SACL) is checked, a SUCCESS event may only indicate that there was an attempt to delete a file. You may need to look a bit more to determine if the attempt was successful. Numerous software packages can be purchased that will aggregate and search through logs looking for specific events. I don't know how extensive your needs and requirements are, but you might take a look first at some free tools.

EventComb is one free utility from Microsoft. The log parser tool is another.

This was first published in July 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: