J
Jason Roth
Hello,
Recently I wanted to start auditing when certain folders
and files are deleted. I did the following:
1) Enabled success/failure on the domain policy
for "object access", and refreshed the machine policy on
the DC's
2) Went to the share in question, and enabled auditing for
the everyone group, and chose to audit success/failure
for "delete" and "delete folders and files". I propogated
the auditing entries all the way down the folder structure.
Now, when a user deletes a file, I get events 560,562, and
564 recorded. 560 and 562 have nothing to do with
deletion, so I have no clue why they are being recorded.
564 is the actual deletion audit entry, but it is useless
because it doesn't indicate the user and file in
question. Supposedly event 563 is what indicates the file
deletion and the user in question, but this is not
appearing in the logs! What am I missing??
Recently I wanted to start auditing when certain folders
and files are deleted. I did the following:
1) Enabled success/failure on the domain policy
for "object access", and refreshed the machine policy on
the DC's
2) Went to the share in question, and enabled auditing for
the everyone group, and chose to audit success/failure
for "delete" and "delete folders and files". I propogated
the auditing entries all the way down the folder structure.
Now, when a user deletes a file, I get events 560,562, and
564 recorded. 560 and 562 have nothing to do with
deletion, so I have no clue why they are being recorded.
564 is the actual deletion audit entry, but it is useless
because it doesn't indicate the user and file in
question. Supposedly event 563 is what indicates the file
deletion and the user in question, but this is not
appearing in the logs! What am I missing??