Auditing folder moves

  • Thread starter Thread starter BJF
  • Start date Start date
B

BJF

We've had some folders unexpectedly moved to odd places on our shared
drive. We turned audit logging on, and that's capturing the deletes, but
not the moves. If we rename a file, that gets captured. If we move it to a
different folder, nothing shows up in the log.
Any idea what we need to set to turn on logging of moved files and
folders?
Thanks in advance.
 
Moving is a two part operation - copy and delete. So you would need to audit the
destination folder for write permissions. Of course that is difficult since you do
not know exactly what folder that will be. Maybe you can configure permissions so
that users can not move folders by creating special permission for just the folder or
folder and subfolders while allowing them modify permissions to files or
ubfolder. -- Steve
 
Steve,
That's what I thought. I've been monitoring all deletes, and I
*expected* that I'd catch the 'delete' part of the move. So much for
expectations... Nothing was logged.
I'd be satisfied if I could catch just the delete part, but it would be
nice to also get the destination. How can I at least capture the delete
part of the move event? I'm getting all other file/folder deletes in the
system, just not those caused by a move.
Ben
 
Maybe I was wrong. I though that a move would record a folder delete for that parent
folder- that would make sense. I will try some testing on my end and see if I can
find out anything. --- Steve
 
That was my assumption also, but I did a more thorough test and found out it
doesn't work the way we expected. Let me know what you find out. Thanks.
Ben
 
I tried it out on a W2K server locally and I found that after enabling auditing of
both delete permissions that when I moved [dragged and dropped] a sub folder named
new folder from the folder being audited [inetpub] that an event ID 560 showing a
delete was recorded in the security log as shown below while I was logged on as
administrator. --- Steve

Object Server: Security

Object Type: File

Object Name: C:\Inetpub\New Folder

New Handle ID: 1480

Operation ID: {0,761363}

Process ID: 1984

Primary User Name: administrator

Primary Domain: UMBACH1

Primary Logon ID: (0x0,0x9D4CA)

Client User Name: -

Client Domain: -

Client Logon ID: -

Accesses DELETE

SYNCHRONIZE

ReadAttributes
 
Steve,
It could be that we're missing something. When you said 'both delete
permissions' - can you elaborate on 'both'? The network admins at my shop
who turned on the auditing for me may not have done all the steps. Thanks.
Ben
Steven L Umbach said:
I tried it out on a W2K server locally and I found that after enabling auditing of
both delete permissions that when I moved [dragged and dropped] a sub folder named
new folder from the folder being audited [inetpub] that an event ID 560 showing a
delete was recorded in the security log as shown below while I was logged on as
administrator. --- Steve

Object Server: Security

Object Type: File

Object Name: C:\Inetpub\New Folder

New Handle ID: 1480

Operation ID: {0,761363}

Process ID: 1984

Primary User Name: administrator

Primary Domain: UMBACH1

Primary Logon ID: (0x0,0x9D4CA)

Client User Name: -

Client Domain: -

Client Logon ID: -

Accesses DELETE

SYNCHRONIZE

ReadAttributes



That was my assumption also, but I did a more thorough test and found out it
doesn't work the way we expected. Let me know what you find out. Thanks.
Ben
for
that parent see
if I can would
be in
the files
or move
it files
and
Click to expand...
Click to expand...
 
On the folder I audited I went to properties/security/advanced/auditing. I
added users and then under permissions to audit I selected under
successful - delete and delete subfolders and files. Those are the only two
I audited since adding any more permissions would generate a lot more events
in the security log and deletions were the only event I was trying to
capture. --- Steve

BJF said:
Steve,
It could be that we're missing something. When you said 'both delete
permissions' - can you elaborate on 'both'? The network admins at my shop
who turned on the auditing for me may not have done all the steps. Thanks.
Ben
Steven L Umbach said:
I tried it out on a W2K server locally and I found that after enabling auditing of
both delete permissions that when I moved [dragged and dropped] a sub folder named
new folder from the folder being audited [inetpub] that an event ID 560 showing a
delete was recorded in the security log as shown below while I was
Click to expand...
logged
on as
administrator. --- Steve

Object Server: Security

Object Type: File

Object Name: C:\Inetpub\New Folder

New Handle ID: 1480

Operation ID: {0,761363}

Process ID: 1984

Primary User Name: administrator

Primary Domain: UMBACH1

Primary Logon ID: (0x0,0x9D4CA)

Client User Name: -

Client Domain: -

Client Logon ID: -

Accesses DELETE

SYNCHRONIZE

ReadAttributes
Click to expand...
we
move
Click to expand...
Click to expand...
 
Back
Top