Donate To The Empire:

Holding your users accountable for their actions is one of the trickiest things about being an IT Consultant. If a user tells you he didn’t delete or move a file you can’t just sneer at him and accuse him of lying, no matter how much you want to. You must have proof. A nice solid document showing the who, when, and where of the users malfeasance. Enter file system auditing.

There are a plethora of third party applications around that will handle all of your document tracking and change auditing needs, but they are universally expensive and require a high degree of user cooperation. If you aren’t in a position to demand that kind of cooperation the whole project might as well be built with fairy dust. Luckily for the much abused Consultant on a limited budget windows has a pretty robust built in auditing system.

The BEST way to do this is to centralize file storage. Move user document directories to a file server, setup shared drives for everyone, etc… Otherwise you have a decentralized nightmare of file management.  So now  that you have your cobbled together file server with half a dozen cheapo rescued 40gb drives and an old RAID card you found under your couch (Limited budget, remember?) you can implement some auditing.

Head on over to Administrative Tools on your file server  and fire up the Local Security Policy editor.

Now browse on down to Local Policies, and Audit Policy. Double click on Audit Object Access and choose Success, now click Apply.

You’ve now enabled the possibility of logging file system events. Now open up My Computer and navigate to the first folder you would like to monitor changes in. You can’t do the entire drive for good reason so don’t ask. Right click on the folder and choose Properties then click on the Security ta, next click on Advanced, now click the Auditing tab.

Here is where you add the users or groups whose actions you would like to log.. Click on Add and enter the desired user groups. You can always use Everyone if you want to monitor all of the changes to the folder. After you enter a user or group and click Ok you will be given a list of options to choose from. I only monitor successful file and folder creation and deletion, so I check the box under Successful for Create Files / Write Data, Create Folders / Append Data, Delete Subfolders and Files, and Delete. 

Now click OK, then click OK again, in fact keep clicking OK until you get back to your folder listing. Now you have enabled logging of Successful Creation and Deletion of files and folders for that folder. Repeat the process with any additional folders you would like to monitor.

Now, open up your Event Viewer and  create a file or folder in one of the folders you are monitoring. Refresh the event viewer and DESPAIR. Windows creates 5 entries for the creation of a folder and 7 for the deletion of a folder. This is going to fill your log file up with a quickness if you don’t do something about it. So right click on the Security log and click Properties. Now choose your Maximum Log Size, I like to set mine to 20mb and tell it to overwrite events older than 7 days when the log gets full.

Usually this means I have 7-10 days of log entries which is all I need for user accountability on file deletions. You may need more or less, and your log may fill up slower or faster than mine does. So play around with these settings until you find the ones that work for you.

Now you may be saying “But with a dozen entries for every file creation and deletion and no good way to search the event logs with windows event viewer won’t it be almost impossible to USE this data?” and you would be right. That’s why we kick event viewer  to the curb like a whiny girlfriend and bring in the new hotness Event Log Explorer.

Now when one of those smarmy users tells you his files “Just Disappeared” you can hand him a printout showing exactly when he moved his financial spreadsheets into his iTunes folder on accident.

** Notice: Windows logging handles folder moving very strangely. Moving or deleting a file results in the creation of a deletion event which shows the correct file name. If the file is moved the creation event is created showing the folder the file was moved to, but not listing the name of the file. However the operation ID is the immediate next ID in numerical order from the one showing the file/folder being deleted. For example, if a folder named MoveMe in c:\temp is moved to c:\old the log will show an entry for the deletion of MoveMe with operation ID of 1234, and operation ID 1235 will show the creation of a new folder in c:\old. This allows the two events to be linked and means the folder can be tracked to its new location if moved.

As usual if you’ve found this helpful please donate to The Empire, or at least vote for me.