Windows Server 2003 Deleting Files

[Guest cypherus]

I am running Windows Server 2003 R2 and three times now a folder has

been deleted from a user's network drive. No one has access to this

except me and the user and from what the user says, she isn't doing

anything wrong. She logs in and the folder is gone. I am able to

recover from backup, but that's not the point. Is there any way to

find out who or when a file is deleted either in the Event Viewer or

otherwise?

[Guest Pegasus \(MVP\)]

Re: Windows Server 2003 Deleting Files

 

 

"cypherus" <fbsdguy@gmail.com> wrote in message

news:53ecded4-9025-4699-b13c-6856336cd71c@a70g2000hsh.googlegroups.com...

>I am running Windows Server 2003 R2 and three times now a folder has

> been deleted from a user's network drive. No one has access to this

> except me and the user and from what the user says, she isn't doing

> anything wrong. She logs in and the folder is gone. I am able to

> recover from backup, but that's not the point. Is there any way to

> find out who or when a file is deleted either in the Event Viewer or

> otherwise?

 

You could run this script:

01. ComputerName = "Cypherus"

02. FolderName = """D:\Temp"""

03. Wait = 60 'Time to wait between polls

04.

05. FolderName = replace(FolderName, "\", "\\\\")

06. Set objWMIService = GetObject("winmgmts:\\" & ComputerName &

"\root\cimv2")

07. Set colMonitoredEvents = objWMIService.ExecNotificationQuery _

08. ("SELECT * FROM __InstanceDeletionEvent WITHIN " & wait _

09. & " Where Targetinstance ISA 'CIM_DirectoryContainsFile'" _

10. & " and TargetInstance.GroupComponent= " _

11. & "'Win32_Directory.Name=" & FolderName & "'")

12.

13. Do

14. Set objLatestEvent = colMonitoredEvents.NextEvent

15. Result = objLatestEvent.TargetInstance.PartComponent

16. WScript.Echo "File " & Replace(Mid(result, InStrRev(Result, "\") + 1),

"""", "") & " deleted."

17. Loop

 

Instructions:

- Copy & paste this code to c:\Windows\Monitor.vbs on your PC.

- Modify Lines 1-3 to suit your environment.

- Unbreak broken up lines.

- Remove the line numbers.

- Invoke the script like so: cscript //nologo c:\windows\monitor.vbs

 

It is current form the script generates one line of text in the console

screen where you run the script. I can think of three better

responses:

a) Send yourself an EMail note.

b) Write a date/time-tagged line into a cumulative log file.

c) Generate a Messenger pop-up panel on a nominated PC.

 

You could use any one of several of the above methods.

Post again if you need any assistance with this.

[Guest Olivier C.]

Re: Windows Server 2003 Deleting Files

 

Hello ,

 

You should activate an audit access on this directory/files , to see who

deletes it

 

- Activate the audit at the directory level

- Active the audit at the "Domain controller" level OR locally via

gpedit.msc.

 

Use gpupdate / force to apply the policies.

 

 

HOW TO :

 

http://technet2.microsoft.com/windowsserver/en/technologies/featured/audit/default.mspx

 

http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_audit.htm

http://kb.ultratech-llc.com/?File=/Audit.TXT

http://www.gregthatcher.com/Papers/IT/audit.aspx

http://support.microsoft.com/kb/814595

http://support.microsoft.com/kb/310399

 

Regards ,

 

Olivier C.

Hewlett Packard for Microsoft Customer Services and Support

 

 

"cypherus" <fbsdguy@gmail.com> wrote in message

news:53ecded4-9025-4699-b13c-6856336cd71c@a70g2000hsh.googlegroups.com...

>I am running Windows Server 2003 R2 and three times now a folder has

> been deleted from a user's network drive. No one has access to this

> except me and the user and from what the user says, she isn't doing

> anything wrong. She logs in and the folder is gone. I am able to

> recover from backup, but that's not the point. Is there any way to

> find out who or when a file is deleted either in the Event Viewer or

> otherwise?