Track File Deletions on Server

Mainstay

Mainstay

Well-Known Member
Reaction score
747
OK all you smart Windows Server 2008 gurus.

Scenario: Last night files were deleted from a common folder. All users on the AD have access and read/write/delete permissions.

This morning I restored the files from our 7:00 pm backup and all is well in the world.

Question: How can we track file deletions on the server in the future? Any good solutions that won't kill server performance and can yield readily digestible results?


Thanks all for reading.

--m
 
right - we had followed this approach last year (same issue) and the observations were:

1. there was a huge performance hit (we covered a lot of sub folders)
2. the log files got huge
3. the log files were limited in time (i.e., we could only go back a few days, which, if we were lucky, covered the incident, but more often than not, didn't include the deletion event).
4. the log files were difficult to parse

before we re-enable this approach, I was just curious to see if there are better / simpler ways to track the deletions.

Thank you for the feedback!
 
They need deletion rights in order to keep the directories maintained. But some users are deleting more than they should.
 
freedomit said:
We have done this before and it causes massive problems with MS Office files. When you open and work on a Word/Excel doc it creates a temporary file and when you save and close it deletes it. If you remove delete rights users will get an 'Access Denied' message when they try and save.

https://support.microsoft.com/en-us/kb/2589410
Click to expand...


We've encountered this issue as well. MS files won't cleanup after open.... a nightmare in the making.

Plus, the managers have better things to do than folder maintenance... that is why they hire sublings.

Any thoughts on how to track this [easily]?
 
How many users, machine? As you know there is an overhead penalty on the server side but what about running something client side. That way the overhead would be spread over all machines.
 
Last edited:
Why MS stores deleted files in the recycle bin on workstations yet are permanently deleted on servers always frustrated me.

I had this issue many moons ago when I was a network manager. It seems that I was constantly loading backup tapes to restore the files/folders that nobody deleted.

Anyway, my work around was a 3rd party application whose name escapes me. I do remember there were quite a few appls for sale that store the deleted files/folders in an admin accessible location.
 
@markverhyden : ~30 users over 40 workstations (3 locations).

That is an interesting idea... do you know of a program that is client-side that can track this activity and deliver its daily report to a central program (that preferably merges the data and makes it searchable"?

@mr m : let me know if you recall the software... am very interested.

@AndyM : Thank you for the links. Our issue, however, is not one of losing information. We have backups that serve us very well and we, unfortunately, need to invoke them quite regularly. What we are interested in knowing is WHO is deleting these files so that we can take corrective action with the user(s). The managers train their personnel but clearly someone isn't getting it.

We aren't looking to fire anyone, just get everyone to understand how that delete button works. One of the biggest culprits (I believe) is one of the firms partners... so I can't very well approach them unless I have some evidence.
 
@Mainstay, I've been looking around. So far nothing found that is centrally controlled. But, as we all know, this is not a new problem. So there has to be something that will allow you ID the culprit(s) via the workstation.
 
mr m said:
Why MS stores deleted files in the recycle bin on workstations yet are permanently deleted on servers always frustrated me.

I had this issue many moons ago when I was a network manager. It seems that I was constantly loading backup tapes to restore the files/folders that nobody deleted.

Anyway, my work around was a 3rd party application whose name escapes me. I do remember there were quite a few appls for sale that store the deleted files/folders in an admin accessible location.
Click to expand...
It doesn't. It's called Volume Shadow Services and you can undelete files just fine so long as it is properly setup. Again I ask why are then end users deleting anything? Computers are for automation. You need to preserve files then you need to archive them. I still say block delete rights. As for the temp files, scheduled task run before the backup can clean systems of that. Time to stop having end users mismanage things that your server can do automatically.
 
nlinecomputers said:
It doesn't. It's called Volume Shadow Services and you can undelete files just fine so long as it is properly setup. Again I ask why are then end users deleting anything? Computers are for automation. You need to preserve files then you need to archive them. I still say block delete rights. As for the temp files, scheduled task run before the backup can clean systems of that. Time to stop having end users mismanage things that your server can do automatically.
Click to expand...

Yeah, but the OP's point is he wants to track the deletions. Knowing who is doing it and then finding out why. From a network security perspective that is very important. Sure, it might be an ID ten T issue, like he hinted. Or it might be something worse.
 
You must log in or register to reply here.

Similar threads

urcomputech
[REQUEST] Using dual NIC's on server and workstations to create dual networks for seamless switchover to backup WAN/ISP
Replies
13
Views
3K
Sky-Knight
Sky-Knight
Big Jim
Problem with my own server
Replies
1
Views
928
Big Jim
Big Jim
phaZed
[SOLVED] How to uninstall Forticlient AV that was installed from EMS management dashboard?
Replies
2
Views
17K
Your PCMD
Your PCMD
coffee
Question on Migrations to new server
2
Replies
20
Views
3K
nlinecomputers
nlinecomputers
O
Windows Server 2008 Permissions issues
Replies
4
Views
1K
ohio_grad_06
O
Back
Top