I have a folder, 'test', which includes folders 'test1', 'test2', 'test3' and 'test4'. Somehow the folders 'test3' and 'test4' were moved one level up. there is security log enabled and audit in windows level. the action took place within a period of 9 minutes but it did not last more than 1 or 2 minutes due to the size of the files included in them. i need to find the event and figure out who performed the move in order to prevent it next time. Generally, if i move or delete folders i get events 560 and 560. these events are not there for the period of time when the incident occurred. Thank you Renold

Auditing is tricky, you may not have it setup correctly. I would do a few tests, to verify THESE PARTICULAR events are created appropriately. In general you need to do the following 1) Enable Object Acces Auditing the in local audit policies 2) Enable NTFS auditing on the PARENT FOLDERS of the objects to be audited. Its best to do the entire drive. 3) Monitor only appropriate activities (Deletes and writes usually), reading files is not worth the effort. Recommended NTFS Audit Policy http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Recommended%20NTFS%20Audit%20Policy.aspx The event may not appear because you are auditing incorrectly for those folders, and or there was a load on the server such that many events were lost. This is appearent when large gaps of no event logs occur.