Q

Can I track who deletes a file on Win2k server?

We have a Win2k file server. When someone deletes a file, what is the Event ID number, and what must be done to see who deletes or moves the file or folder? Is there any software that can track this information?
If object access auditing is turned on, and if the file is being audited for delete, then event 560 will be logged. Event 560 simply means object access, so you may need to examine a number of them to find the right one. Look within the event for the "access" field, which will, in the case of a deletion, include the word DELETE. Look at the Primary User name to see the logon user.

One additional note: Because of the way that a system access control list (SACL) is checked, a SUCCESS event may only indicate that there was an attempt to delete a file. You may need to look a bit more to determine if the attempt was successful. Numerous software packages can be purchased that will aggregate and search through logs looking for specific events. I don't know how extensive your needs and requirements are, but you might...

take a look first at some free tools.

EventComb is one free utility from Microsoft. The log parser tool is another.

This was first published in July 2003
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close