A few files have disappeared on our shared folders. Is there any way to figure out who deleted something, and when? The server hosting these folders is running Server 2008 R2 (x64). I'd like to implement some kind of auditing that warns me (or at least logs the event -- username, timestamp, file/folder name) when people delete files or folders on those shared directories. I know something like this must have been implemented in the OS, I'm just not sure if it's something I have to turn on -- or, if it's already running, where to check for those logs. Thanks in advance. -DS

Please see this http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Accesshttp://www.virmansec.com/blogs/skhairuddin

Have a look to this article named "How to audit and track file deletions". This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Thank you both! Sorry I could only mark one post as "answer." -DS

Please see this http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access http://www.virmansec.com/blogs/skhairuddin Hey y'all, same issue, followed the directions in the article as well as poked at a few others. The auditing is working, I can find an event in the Security log when a file is deleted, but the problem I'm running into is it doesn't give any information as to WHICH file was deleted. I found this article, which is obviously based on 2003 or before, and the information from the log sample at the bottom would be perfect, but I'm not finding that event id in the logs on a 2008 R2 box and there's just a message that a file has been deleted and who did it. Any ideas on modding the logging?