Hi Team, I had shared a folder with read/change permission. somebody has deleted all the files and folders under that shared folder. I just wanted to know, who deleted the files/folders.My system is in domain. folder's last modified timing is 6:08 PM but while checking under security events. I can see there are few AD IDs who access different shared folders at that time. So, if i can find the exact modified time(upto miliseconds), then I can guess the user. So, my requirement is: 1. any command to get last modified time(upto milisecond) of a directory. 2. anyother way to find who deleted all the files/folders of the shared folder. please help.

Hi, the file server is a Windows 2003, 2008 ? Is there any audit file system enabled on the system and the folder ? RegardsFreddy ELMALEH aka "bigstyle" -- Consultant Freelance pour Active IT -- MVP Windows Server - Directory Services

Hi Freddy, This is a VSS(visual source safe) server with OS windows 2003. Audit file system is not enabled on it.

Hello, if file/folder auditing is NOT enabled you can't figure it out, so 1 and 2 are not possible. So how is auditing set up in your environment? Hopefully you have a backup and can restore the data.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

we are taking backups, we will loose one day data if i m restoring it. I checked the audit policy, it is like below. any help with this. audit account logon events-- Success, Failure audit account management -- Success, Failure audit directory service access-- Failure audit logon events-Success, Failure audit object access--Success, Failure audit policy change-No auditing audit privilege use-No auditing audit process tracking- Failure audit system events-Success, Failure

Hi , I see that audit object access is set to success / failure which is the required GPO. But the next step would be configuring the auditing per folder / file specific if you havent set it under the specific folder / file ,you cant do much about it. another option is , involve disk recovery agents and recover the files and folders

Hello, you have also to configure the specific folders/files for auditing as shown in another thread before: ------------------------------------------------------------------------------------------- Enabling file auditing is a 2-step process. [1] Configure "audit object access" in AD Group Policy or on the server's local GPO. This setting is located under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing for "Audit object access." [2] Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder-->Properties-->Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file, or you can just audit for Delete operations. After you've done both of these steps, any file deletions will show up in the Security log of the file server that hosts those files. HTH -------------------------------------------------------------------------------------------Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.