Tracking users

Our server is running Windows server 2003. On the one drive we have a lot of
files were users can store work. At the moment everybody has acsess to the
folders and the documents. Now someone went in on a specific folder and
deleted some of the documents. Is there anyway to track the IP or PC name of
the person that went into this folder via the network?

How bought the username of the person who did it? Wiuld tht suffice?

You can enable auditing and then choose to audit things like file deletions
in that folder.

As a fairly paranoid person I end to use it on all critical files that are
access by more than one person.

The key is it must be NTFS and both turn security auditing on as well as the
specific resource must be flagged to be audited.

Which makes sense. You certainly wouldn't want all file accesses to be
audited 24/7 when you enable auditing. It would kill performance and be
impossible to pull data from the log files.

http://www.securityadmin.info/faq.asp?auditing

There are also lots of how-to articles for turning on and tracking auditing
you can find just by googleing..
--
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master

There are 10 kinds of people in the world. Those who do understand binary
and those who don't.
"Spy" <(E-Mail Removed)> wrote in message
news:96F0E9CF-6AC4-4374-83C0-(E-Mail Removed)...
> Our server is running Windows server 2003. On the one drive we have a lot
> of
> files were users can store work. At the moment everybody has acsess to the
> folders and the documents. Now someone went in on a specific folder and
> deleted some of the documents. Is there anyway to track the IP or PC name
> of
> the person that went into this folder via the network?

A username would even be better!!! I am fairly new to the company, and no
audit policy's has been enabled. Just file sharing and full rights to
everybody. I will be looking into this.

But at the moment I wich to trace the person who went in on that folder and
deleted the files.

"Spy" wrote:

> Our server is running Windows server 2003. On the one drive we have a lot of
> files were users can store work. At the moment everybody has acsess to the
> folders and the documents. Now someone went in on a specific folder and
> deleted some of the documents. Is there anyway to track the IP or PC name of
> the person that went into this folder via the network?

if the auditing was not enabled at that time, I'm afraid now it's too late.

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader...lt2.asp?ref=au

"Spy" <(E-Mail Removed)> wrote in message
news:778BB0BA-A648-462F-8F1D-(E-Mail Removed)...
>A username would even be better!!! I am fairly new to the company, and no
> audit policy's has been enabled. Just file sharing and full rights to
> everybody. I will be looking into this.
>
> But at the moment I wich to trace the person who went in on that folder
> and
> deleted the files.
>
> "Spy" wrote:
>
>> Our server is running Windows server 2003. On the one drive we have a lot
>> of
>> files were users can store work. At the moment everybody has acsess to
>> the
>> folders and the documents. Now someone went in on a specific folder and
>> deleted some of the documents. Is there anyway to track the IP or PC name
>> of
>> the person that went into this folder via the network?