Understand Event Viewer – Delete Action on Folders – Event ID 560
Event ID, Event ID 560, Event Viewer, Windows Server 2003, Windows Server Security, Windows Server Security Audits
I've enabled audit logs on several folders on windows server 2003 environment. It records the deleted action on folder and sub-folder.
The problem is I want to make sure, that when I see Delete in Accesses field, it is for certain the user deleted the folder/file.
When replicating the action, it only shows (delete), I'm not sure, what the rest if for.
I filtered the logs to Object Access, Event ID: 560
So My question is, how to determine that the folder/file is indeed was deleted by that user??
Accesses: DELETE
READ_CONTROL
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttribu
Software/Hardware used:
Software/Hardware used:
ASKED:
March 5, 2009 1:11 PM
UPDATED:
March 5, 2009 1:40 PM
Answer Wiki:
Last Wiki Answer Submitted:
Be the first to answer this question.
All Answer Wiki Contributors:
Be the first to answer this question.
To see all answers submitted to the Answer Wiki: View Answer History.
RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
