Guest KSor Posted October 27, 2008 Posted October 27, 2008 A user can "hook up" a drive to the server - let's say F - so that the users F-drive is the servers C-drive. When the user then deletes some files or folders the ydo NOT go to neither the bin on the server nor the bin on the users pc. How can I get a log of "who deleted what and when" on the server ? Best regards KSor, Denmark
Guest Dave Patrick Posted October 27, 2008 Posted October 27, 2008 Re: Logging users activity Turn on some file/folder auditing. http://support.microsoft.com/kb/301640 -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect "KSor" wrote: >A user can "hook up" a drive to the server - let's say F - so that the >users F-drive is the servers C-drive. > > When the user then deletes some files or folders the ydo NOT go to neither > the bin on the server nor the bin on the users pc. > > How can I get a log of "who deleted what and when" on the server ? > > Best regards > KSor, Denmark > >
Guest Lanwench [MVP - Exchange] Posted October 27, 2008 Posted October 27, 2008 Re: Logging users activity KSor <keld.soerensenDELETETHIS@psa.dk> wrote: > A user can "hook up" a drive to the server - let's say F - so that > the users F-drive is the servers C-drive. Yes, they can map a drive to a share, but only if they have permissions to do so. I'd hope your server's system volume was not shared over the network with end users. > > When the user then deletes some files or folders the ydo NOT go to > neither the bin on the server nor the bin on the users pc. That's always the case when someone deletes data across the network. Presuming at least Windows 2003, if you use the Volume Shadow Copy Service on the server volume in question, you can at least restore from a snapshot backup. > > How can I get a log of "who deleted what and when" on the server ? > > Best regards > KSor, Denmark As Dave wrote, enable auditing. But note that this is not going to help you determine who did something *before* auditing was enabled, and also note that reviewing the event logs will be very, very tedious.
Recommended Posts