How do I find out who moved a folder – Windows Server 2003 Print

  • 24

Sometimes when you go to look for a folder on windows server you will discover a folder is missing or has been moved. There is a way to find out who has moved the folder with auditing on windows server.

Take note: Performance issues can occur if you turn on auditing on too many files and folders. This will really depend on what type of server hardware you have. You may have to test and see what is acceptable for your server.

First you have to find which folder it is you want to audit. Once you have identified your folder you will want to right click on the folder and select properties from the context menu. Next, click on the security tab and then click the advanced button.

Next, the advanced page will come up. Then click on the auditing tab and then click the add button. The user dialog box will appear. Here you can choose the group or user you want to watch. If you have an idea of whom it may be you can select a user. It may be best however to use the “everyone” group. Selecting too many users can really hinder performance.

Click ok and then the auditing selection box will appear. Select only the options that you really need to use. Every option you check will start to hinder performance. If you want to audit who is deleting files just check the “Delete Sub-folders and Files” and “Delete” check boxes. Then click ok for every box you have open.

Now, if a user deletes some files or folders it will save an event in the administrator event log. If you ever see files deleted which shouldn’t be you can now check the event logs. If you are looking to see who deleted a file or folder check for event log ID 560.

If this ever happens just click on the event log and scan through the event and you should be able to tell which user deleted the file or folder.

credits to

Was this answer helpful?

« Back