Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Tracing users who delete shared files
- Thread starter Ruey
- Start date
Assuming that for whatever reasons you cannot restrict the users' privliges more...
It is not very difficult to find out when a file was deleted, and one could compare with logons at the time.
If the shared files are supposed to be unchanged, it is not hard to simply replace any changed or deleted files from a backup area periodically Restricting to read only privliges is easier.
Do you know if this is from carelessnes, lack of user training or hostile reasons?
It is not very difficult to find out when a file was deleted, and one could compare with logons at the time.
If the shared files are supposed to be unchanged, it is not hard to simply replace any changed or deleted files from a backup area periodically Restricting to read only privliges is easier.
Do you know if this is from carelessnes, lack of user training or hostile reasons?
- Thread starter
- #3
Thanks for the reply.
There are only two people who have access to this folder. I have FULL access as the Domain Admin and the user has CHANGE access rights. The user has brought to my attention, that his home folder just disappered. I suspect that he accidentally deleted it but would like some sort of proof. And also to eliminate the possibility of a third party.
By the way the Directory Auditing is currently not enabled on this drive, is there another way asides from comparing logons (usrstat domain)?
There are only two people who have access to this folder. I have FULL access as the Domain Admin and the user has CHANGE access rights. The user has brought to my attention, that his home folder just disappered. I suspect that he accidentally deleted it but would like some sort of proof. And also to eliminate the possibility of a third party.
By the way the Directory Auditing is currently not enabled on this drive, is there another way asides from comparing logons (usrstat domain)?
- Thread starter
- #4
Thanks for the reply.
There are only two people who have access to this folder. I have FULL access as the Domain Admin and the user has CHANGE access rights. The user has brought to my attention, that his home folder just disappered. I suspect that he accidentally deleted it but would like some sort of proof. And also to eliminate the possibility of a third party.
By the way the Directory Auditing is currently not enabled on this drive, is there another way asides from comparing logons (usrstat domain)?
There are only two people who have access to this folder. I have FULL access as the Domain Admin and the user has CHANGE access rights. The user has brought to my attention, that his home folder just disappered. I suspect that he accidentally deleted it but would like some sort of proof. And also to eliminate the possibility of a third party.
By the way the Directory Auditing is currently not enabled on this drive, is there another way asides from comparing logons (usrstat domain)?
- Thread starter
- #5
Thanks for the reply.
There are only two people who have access to this folder. I have FULL access as the Domain Admin and the user has CHANGE access rights. The user has brought to my attention, that his home folder just disappered. I suspect that he accidentally deleted it but would like some sort of proof. And also to eliminate the possibility of a third party.
By the way the Directory Auditing is currently not enabled on this drive, is there another way asides from comparing logons (usrstat domain)?
There are only two people who have access to this folder. I have FULL access as the Domain Admin and the user has CHANGE access rights. The user has brought to my attention, that his home folder just disappered. I suspect that he accidentally deleted it but would like some sort of proof. And also to eliminate the possibility of a third party.
By the way the Directory Auditing is currently not enabled on this drive, is there another way asides from comparing logons (usrstat domain)?
- Thread starter
- #6
Being in infosec I hate to discourage paranoia, but, if this is the only incident and you think you have taken reasonable steps against viruses, worms and hackers, well, the only choices are to assume a user slip or start with a investigation that is not inexpensive, at least with time.
I hope I can learn too, if someone has a better information.
Hmm, How about listing the directories for awhile, daily, and simply using FC to see what has changed..
DIR \ /s /ad > Logfile
and then compare to an old copy
FC Logfile oldLogFile
If directories are disappearing unexplained, wry grin, it is time to do something.
Most likely you will not see vaporizing user directories. Mayne some in cache or systems areas.
I hope I can learn too, if someone has a better information.
Hmm, How about listing the directories for awhile, daily, and simply using FC to see what has changed..
DIR \ /s /ad > Logfile
and then compare to an old copy
FC Logfile oldLogFile
If directories are disappearing unexplained, wry grin, it is time to do something.
Most likely you will not see vaporizing user directories. Mayne some in cache or systems areas.
Hope this helps.
Auditing files and directories allows you to track their usage. For a particular file or directory, you can specify which groups or users and which actions to audit. You can audit both successful and failed actions. Windows NT stores the information generated from auditing in a file.
To audit files and directories, you must set the audit policy to audit file and object access. Set audit policy in User Manager.
Important
To audit files and directories, you must be logged on as a member of the Administrators group.
To audit a file or directory
1 In the File Manager window, select the file or directory.
2 From the Security menu, choose Auditing.
3 If you are setting auditing on a directory, two check boxes allow you to control how auditing changes apply to existing files and subdirectories.
By default, the Replace Auditing On Existing Files check box is selected, so the changes you make to auditing apply to the directory and its files only.
Select both the Replace Auditing On Subdirectories and the Replace Auditing On Existing Files check boxes to apply auditing changes to the directory and its files, and to existing subdirectories and their files.
To apply auditing changes to the directory only (not to existing files in the directory or to subdirectories and their existing files), clear both the Replace Auditing On Subdirectories and Replace Auditing On Existing Files check boxes.
To apply auditing changes to the directory and subdirectories only (not to existing files in the directory or subdirectories), select the Replace Auditing on Subdirectories check box and clear the Replace Auditing on Existing Files check box.
4 Set auditing for each group or user in the list:
Select the name of a group or user, and then select the events to audit for that group or user.
5 Choose the OK button.
To remove file or directory auditing for a group or user
1 In the Auditing dialog box, select the name of the group or user in the list.
2 Choose the Remove button.
3 For help with any dialog box, choose the Help button, or press F1 while using the dialog box.
Auditing files and directories allows you to track their usage. For a particular file or directory, you can specify which groups or users and which actions to audit. You can audit both successful and failed actions. Windows NT stores the information generated from auditing in a file.
To audit files and directories, you must set the audit policy to audit file and object access. Set audit policy in User Manager.
Important
To audit files and directories, you must be logged on as a member of the Administrators group.
To audit a file or directory
1 In the File Manager window, select the file or directory.
2 From the Security menu, choose Auditing.
3 If you are setting auditing on a directory, two check boxes allow you to control how auditing changes apply to existing files and subdirectories.
By default, the Replace Auditing On Existing Files check box is selected, so the changes you make to auditing apply to the directory and its files only.
Select both the Replace Auditing On Subdirectories and the Replace Auditing On Existing Files check boxes to apply auditing changes to the directory and its files, and to existing subdirectories and their files.
To apply auditing changes to the directory only (not to existing files in the directory or to subdirectories and their existing files), clear both the Replace Auditing On Subdirectories and Replace Auditing On Existing Files check boxes.
To apply auditing changes to the directory and subdirectories only (not to existing files in the directory or subdirectories), select the Replace Auditing on Subdirectories check box and clear the Replace Auditing on Existing Files check box.
4 Set auditing for each group or user in the list:
Select the name of a group or user, and then select the events to audit for that group or user.
5 Choose the OK button.
To remove file or directory auditing for a group or user
1 In the Auditing dialog box, select the name of the group or user in the list.
2 Choose the Remove button.
3 For help with any dialog box, choose the Help button, or press F1 while using the dialog box.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
