Then select the directories you want to audit using NT Explorer and assign
users or groups you want to audit. Select Delete success and failure to
audit for that directory. Your security log will grow much faster, and
performance on that server might degrade slightly, but it will show exactly
who is deleting files.
From: Martin <firstname.lastname@example.org>
To: email@example.com <firstname.lastname@example.org>
Date: Tuesday, July 14, 1998 5:18 PM
Subject: auditing files
I am going nuts trying to figure out who is deleting certain files on one of
our servers. The event view/security log just tells me who logged in and
shows successful or failed audits.
Where do I start?
I had 80% of a directory disappear today. No one knows who did it. Thank
god we had it mirrored via octopus. Where do I look to find the culprit?