You first enable auditing of object access on the server in Local Security
Policy or via a Group Policy that applies to the server. Then you use the
security properties/advanced to find the ability to audit for users/groups
and permissions to audit. Auditing of folders is NOT user friendly but if
set up correctly the info you need should be in the logs if you know what to
look for. You also will need to increase the size of the security log
substantially to maybe at least 30MB or so as auditing of object access will
cause a LOT of events to be recorded in the security log. For instance when
a user just views a file you can see seven or so events recorded. That is
why it is important to audit the bare minimum of folders, for the bare
minimum of users, for the bare minimum of permissions to find the info you
need. Avoid auditing everyone/users.authenticated users groups.
I suggest you test this by auditing a folder for a single user to see what
kind of events are recorded in the security log after a specific action is
done such as a write or delete. Just enabling auditing of object access will
generate seemingly unrelated events. You will find the free tool Event Comb
from Microsoft helpful as it can search logs for Event ID's and for text
strings such as user name, file name, delete, etc. The links below may
elp. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://www.microsoft.com/technet/pr...elp/5658fae8-985f-48cc-b1bf-bd47dc210916.mspx