Home > IT Answers > Microsoft Windows > Tracking which user deleted files after the fact
TeachMeIT
975 pts.
 Tracking which user deleted files after the fact
CIFS, Common Internet File System, Server Message Block, SMB, User tracking
Can I tell what user deleted a group of files or folders via SMB? The users are on a mix of windows and apple machines but I can not determine who deleted the files. Is there any way to tell who did it after the fact?

Software/Hardware used:
ASKED: September 8, 2010  1:39 PM
UPDATED: September 9, 2010  3:28 PM
RELATED QUESTIONS
Answer Wiki:
Expensive for just one event but we use a tool called Varonis which includes this function very good tool and capable of much more
Last Wiki Answer Submitted:  September 8, 2010  1:52 pm  by  AndyRLee   355 pts.
All Answer Wiki Contributors:  AndyRLee   355 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

 

Well, if you are using *nix/Samba for a smb-based file server, it is possible by activation of one of auditing vfs objects (vfs object is kinda plugin in samba versions >3). You can inspect their properties and configuration in samba man pages: vfs_audit, vfs_extd_audit, vfs_full_audit .

BTW, there is a “network recycle bin” in samba through vfs object vfs_recycle …

Maybe it’s time to think over a migration to Linux/Samba?

petkoa
 3,120 pts.