How to find who deleted my file

[Deepika CA]

Hi All,
We have a network domain named Energy and all the
servers and the users are connected to the same.
User e.g connected say a,b,c are the users on ENERGY as
a\ENERGY,b\ENERGY,c\ENERGY.My servers are also in the
same domain. There are some shared folders on my servers
for some purpose, but I cannot make out who (which IP)
deleted my files in the directory, My EventLog does not
list the files deleted and who deleted that.

Is there any way that I can trace this.

Please help me out in this.

Thanks
Deepika

 

[Karl Levinson [x y] mvp]

Really, you would have to already have had windows auditing turned on for
that computer and that file before the deletion took place, then look in the
windows security event viewer log [don't enable success auditing for
absolutely everything, better to enable failure auditing for everything, and
success auditing for deletions and select other things you wish to track, to
avoid filling up the security event logs every two minutes]:

http://securityadmin.info/faq.asp#auditing

.... and then you would get the user name and possibly the computer name, not
the IP address. To track IP address, you need a firewall, but even then it
would be difficult and probably not fruitful to try to match up your
firewall log entries with windows security log entries, unless perhaps you
used something like NT Syslog and a free syslog client like
www.kiwisyslog.com to consolidate both logs into one syslog. I wouldn't try
it, it's just the only possibility I can think of.