Hi Quick question!We have a 2003 DC that I want to audit the moving or deleting of files/folders from a local share. I have edited the Domain Controllers OU and switched on Audit object Access (Success). I then set Auditing on the share forone security group and 3 separate users and selected the necessary permissions (eg delete subfolders and files) and ran GPUPDATE to force the change.The problem is when a test foldersare deleted by one of the specified users from the audited share (via a mapped drive)an Object Access event id (560) is reported in the security log but doesn't contain the user in question or the action, just something similar to the following: Object Open:Object Server: SecurityObject Type: KeyObject Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\SecurityHandle ID: 764Operation ID: {0,466168928}Process ID: 7704Image File Name: C:\WINDOWS\system32\mmc.exePrimary User Name: administratorPrimary Domain: ****Primary Logon ID: (0x0,0x170F5CCB)Client User Name: -Client Domain: -Client Logon ID: -Accesses: Set key value Privileges: -Restricted Sid Count: 0Access Mask: 0x2Have I missed out a step? Any help would be appreciated!

You'll need to enable and add user/security group for auditing on the folder which needs to be captured for file deletion. You also need to enable the Audit object Access (Failure). Right click on the target folder (ex. C:\Program Files\Honeywell), select Properties and go to Security Tab. Click on Advanced , and select Auditing Tab. Add here the security group which would include the user who you think might be deleting the file. If you are not sure, include EVERYONE . On the next screen select "Successful" & "Failed" on "Delete subfolders and files" & "Delete". Apply new settings and exit from properties. These configurations will generate file/folder access audit logs for the configured folder in Security Event Logs . Since we are interested in only the logs that show details of file/folder deletions, we'll need to look for Security Logs with event ID 560 .If you quickly want to find out if your configured machine generated any file deletion event log, run the following command on your own (networked) machine. This will work only on XP and above, therefore, you can use this to query for security logs from Windows 2000 machines. Run cscript //h:cscript //s //nologo at least once on your system before executing the following command. eventquery.vbs /S <Target_System_Name> /FI "ID eq 560" /L Security /V /FI : Filter /L : Log name {Application | Security | System} /V : Verbose output NOTE: Ensure that security log is set not to overwrite itself, and has sufficient size to hold logs spanning many days. You can configure these settings by right-clicking on Security subfolder inside Event Viewer. Auditing can have an impact on the performance of the domain controller, keep that in mind. Source Certifications: MCSA 2003 MCSE 2003 Studying for MCTIP:EA&SA

Hey thanks for the response. Yeah I think I followed this correctly (although I used Audit Object Access - Success via the DC Group Policy to generate events). When a test folder is deleted it does log an event 560 but doesn't contain the user or detailsor what was deleted (as per the example above).Thanks.

Hi, According to my test, if you delete the file locally, the Client User Name in the description of the event 560 is blank. You can check the Primary User Name to identify who deleted the file. Thanks.