You may give undelete from executive software a try .. thye have an "
emergency undelete" feature that I have used in the past.
It MAY also tell you who deleted the file in the first place.
Make sure that your boss knows that the answer might be "no" you cannot
determine it after the fact.
OH and getting upset doesn't help
(e-mail address removed)
This posting is provided "AS IS"
with no warranties, and confers no rights
--------------------
| Subject: Re: How to trace a deleted file on a server by a user
| From: "Vera Noest [MVP]" <
[email protected]>
| References: <
[email protected]>
<
[email protected]>
<
[email protected]>
| Message-ID: <
[email protected]>
| User-Agent: Xnews/5.04.25
| Newsgroups: microsoft.public.win2000.termserv.apps
| Date: Fri, 24 Sep 2004 13:59:38 -0700
| NNTP-Posting-Host: md46904d7.utfors.se 212.105.4.215
| Lines: 1
| Path:
cpmsftngxa06.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08
.phx.gbl!TK2MSFTNGP14.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.termserv.apps:14343
| X-Tomcat-NG: microsoft.public.win2000.termserv.apps
|
| Did you have auditing of security events (especially logon and
| logoff events) turned on when this happened? That would at least
| give you a list of everyone who was logged on during the time this
| happened.
| If you didn't have security auditing enabled, I don't think there
| is much more that you can do to find out who messed up.
|
| Did you make a full backup of your system immediately after the
| file loss was discovered? If so, you could have a look at the time
| stamps of every user profile, which could tell you when users were
| last logged in. That could at least rule out some suspects.
|
| I have no personal experience with any 3th party software, but if
| you google for "auditing software" I'm sure you find lots of them.
| But I doubt very much if anything can be found out about past
| incidents. And again, be prepared for a performance hit if you
| want to audit every single file operation.
|
| --
| Vera Noest
| MCSE, CCEA, Microsoft MVP - Terminal Server
|
http://hem.fyristorg.com/vera/IT
| --- please respond in newsgroup, NOT by private email ---
|
| 2004 in microsoft.public.win2000.termserv.apps:
|
| > Thank you for the information, I understand your point,
| > but it's the boss decicion and I think you understand
| > that. There might one administrator that could cause the
| > blunder, but we have to find out.
| > Besides do you know one program that might help!
| >>-----Original Message-----
| >>Not after the fact has already happened.
| >>The only way to trace such events is to enable security
| > auditing
| >>on the server, and then enable it on the specific files.
| > But since
| >>you don't know before it happens *which* files you want
| > to audit,
| >>you would have to audit them all. The impact this has on
| > the
| >>performance of the server makes this unrealistic, as far
| > as I
| >>know.
| >>There is certainly a bunch of 3th party software out
| > there which
| >>can help.
| >>
| >>Personally, I would spend less time in finding the user
| > who did
| >>it, and more time in securing my file system. With proper
| > NTFS
| >>permissions, this wouldn't have happened in the first
| > place
| >>(unless an Administrators messed up).
| >>
| >> --
| >>Vera Noest
| >>MCSE,CCEA, Microsoft MVP - Terminal Server
| >>
http://hem.fyristorg.com/vera/IT
| >>*----------- Please reply in newsgroup -------------*
| >>
| > on 24 sep
| >>2004:
| >>
| >>> Well we got some smart guys who got access to some
| >>> application files on a terminal server and delete those
| >>> files. Now we would like to know if there is a way that
| > we
| >>> can trace who did it.
| >>>
| >>> Is there any program or utilities that we can use to
| > trace
| >>> the deletion.
| >>>
| >>> The files deleted were most of the office application
| > and
| >>> Project.
| >>>
| >>> regards
| >>>
| >>> Erwin
|
