Windows 2003 how can I log when a user moves a file?

  • Thread starter Thread starter mike
  • Start date Start date
M

mike

I have a situation where several files got moved, but I cannot track which
user did it. I have a timestamp, but the security logs do no really show or
indicate where this came from. Does Window shave this functioality native? If
not which 3rd party products would? thanks in advance for any replies
 
Windows does not natively do this. Your best options would be to limit access to the files, or install a file monitoring solution. I believe that www.quest.com has a solution that will do this for you.

--
~Kevinm WLKMMAS [x-MVP]
"mike" <mike@discussions.microsoft.com> wrote in message news:31E22C07-41DE-4048-908F-2A5365BD8B0A@microsoft.com...
I have a situation where several files got moved, but I cannot track which
user did it. I have a timestamp, but the security logs do no really show or
indicate where this came from. Does Window shave this functioality native? If
not which 3rd party products would? thanks in advance for any replies
 
I didn't think there was a 'native' way, but wanted to check, thanks!

"Kevinm" wrote:

> Windows does not natively do this. Your best options would be to limit access to the files, or install a file monitoring solution. I believe that www.quest.com has a solution that will do this for you.
>
> --
> ~Kevinm WLKMMAS [x-MVP]
> "mike" <mike@discussions.microsoft.com> wrote in message news:31E22C07-41DE-4048-908F-2A5365BD8B0A@microsoft.com...
> I have a situation where several files got moved, but I cannot track which
> user did it. I have a timestamp, but the security logs do no really show or
> indicate where this came from. Does Window shave this functioality native? If
> not which 3rd party products would? thanks in advance for any replies
 
Hi Mike,

if files are moved then the OS handles that as a move in the file
system (very quick). But from the security view it is handled as they
are copied and deleted.

So if you are watching these files with the monitoring mechanisms of
NTFS security then you will see the changes in the security section of
the eventlog. You can simply watch for "delete" in the extended
security dialog and will see that events are reported including the
user who did it.

Best regards,
Holger
 
Back
Top