Sunday, May 20, 2012

How to : Track deletion of windows folders using security policy

1) Enable auditing via policy

Click Start->Run->secpol.msc
Under Local Policies \ Audit policy, enable "Audit object access" for 'success' events (means that the access was 'successful' - failures would indicate permission problems to do so

2) Enable auditing on the 'object'.  

Right-click a folder/file and choose properties
From the security tab, click Advanced
From the Auditing tab, click Add Now, if you want to find 'who' - it's best to 'add' the Everyone group
For the audit access, choose Delete, again under Successful (for a successful deletion)

3) Check the events
  Open event viewer  (Start->Run->Eventvwr)
  Look for/filter on the event ID 560

No comments:

Post a Comment