Hi,
I've configured our 2008 Server to audit object access.
I've enabled auditing on 1 testfolder to audit the "delete" action.
When I test this and delete the folder using one of our user accounts I get the output below in the eventviewer of our server. The problem is that the event does not mention which user account deleted the folder, which is all I want to know. It just mentions"logon id 0x3e7".
Thanks for reading !
Log Name: SecuritySource: Microsoft-Windows-Security-Auditing
Date: 22/04/2013 10:34:21
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: myserver.mydomain.local
Description:
An attempt was made to access an object.
Subject:
Security ID: SYSTEM
Account Name: myserver$
Account Domain: mydomain
Logon ID: 0x3e7
Object:
Object Server: Security
Object Type: File
Object Name: D:\DATA\TESTFOLDER
Handle ID: 0x7460
etc.