Guest cypherus Posted June 4, 2008 Posted June 4, 2008 I am running Windows Server 2003 R2 and three times now a folder has been deleted from a user's network drive. No one has access to this except me and the user and from what the user says, she isn't doing anything wrong. She logs in and the folder is gone. I am able to recover from backup, but that's not the point. Is there any way to find out who or when a file is deleted either in the Event Viewer or otherwise?
Guest Pegasus \(MVP\) Posted June 4, 2008 Posted June 4, 2008 Re: Windows Server 2003 Deleting Files "cypherus" <fbsdguy@gmail.com> wrote in message news:53ecded4-9025-4699-b13c-6856336cd71c@a70g2000hsh.googlegroups.com... >I am running Windows Server 2003 R2 and three times now a folder has > been deleted from a user's network drive. No one has access to this > except me and the user and from what the user says, she isn't doing > anything wrong. She logs in and the folder is gone. I am able to > recover from backup, but that's not the point. Is there any way to > find out who or when a file is deleted either in the Event Viewer or > otherwise? You could run this script: 01. ComputerName = "Cypherus" 02. FolderName = """D:\Temp""" 03. Wait = 60 'Time to wait between polls 04. 05. FolderName = replace(FolderName, "\", "\\\\") 06. Set objWMIService = GetObject("winmgmts:\\" & ComputerName & "\root\cimv2") 07. Set colMonitoredEvents = objWMIService.ExecNotificationQuery _ 08. ("SELECT * FROM __InstanceDeletionEvent WITHIN " & wait _ 09. & " Where Targetinstance ISA 'CIM_DirectoryContainsFile'" _ 10. & " and TargetInstance.GroupComponent= " _ 11. & "'Win32_Directory.Name=" & FolderName & "'") 12. 13. Do 14. Set objLatestEvent = colMonitoredEvents.NextEvent 15. Result = objLatestEvent.TargetInstance.PartComponent 16. WScript.Echo "File " & Replace(Mid(result, InStrRev(Result, "\") + 1), """", "") & " deleted." 17. Loop Instructions: - Copy & paste this code to c:\Windows\Monitor.vbs on your PC. - Modify Lines 1-3 to suit your environment. - Unbreak broken up lines. - Remove the line numbers. - Invoke the script like so: cscript //nologo c:\windows\monitor.vbs It is current form the script generates one line of text in the console screen where you run the script. I can think of three better responses: a) Send yourself an EMail note. b) Write a date/time-tagged line into a cumulative log file. c) Generate a Messenger pop-up panel on a nominated PC. You could use any one of several of the above methods. Post again if you need any assistance with this.
Guest Olivier C. Posted June 4, 2008 Posted June 4, 2008 Re: Windows Server 2003 Deleting Files Hello , You should activate an audit access on this directory/files , to see who deletes it - Activate the audit at the directory level - Active the audit at the "Domain controller" level OR locally via gpedit.msc. Use gpupdate / force to apply the policies. HOW TO : http://technet2.microsoft.com/windowsserver/en/technologies/featured/audit/default.mspx http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_audit.htm http://kb.ultratech-llc.com/?File=/Audit.TXT http://www.gregthatcher.com/Papers/IT/audit.aspx http://support.microsoft.com/kb/814595 http://support.microsoft.com/kb/310399 Regards , Olivier C. Hewlett Packard for Microsoft Customer Services and Support "cypherus" <fbsdguy@gmail.com> wrote in message news:53ecded4-9025-4699-b13c-6856336cd71c@a70g2000hsh.googlegroups.com... >I am running Windows Server 2003 R2 and three times now a folder has > been deleted from a user's network drive. No one has access to this > except me and the user and from what the user says, she isn't doing > anything wrong. She logs in and the folder is gone. I am able to > recover from backup, but that's not the point. Is there any way to > find out who or when a file is deleted either in the Event Viewer or > otherwise?
Recommended Posts