Microsoft
Software
Hardware
Network
Question : Deleted File? user or system?
I am trying to find out what happened to a directory that has dissappeared from our network. When I checked the security log I see these events. To me it appears that this user viewed the directory and then deleted it and then moved on to another directory. The only thing that puzzles me is that it all happened within a second. Here are the logs events in question.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:15 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\Accounting\Job Cost\2010\Report.rpt
New Handle ID: 2672
Operation ID: {2,1928869786}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses READ_CONTROL
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
----------
------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\work
New Handle ID: 2380
Operation ID: {2,1928870967}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses DELETE
SYNCHRONIZE
ReadAttributes
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
---------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\work
New Handle ID: 2380
Operation ID: {2,1928870980}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: DSmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses DELETE
SYNCHRONIZE
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\Common
New Handle ID: 2147492020
Operation ID: {2,1928870981}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses SYNCHRONIZE
AppendData (or AddSubdirectory or CreatePipeInstance)
Privileges SeBackupPrivilege
SeRestorePrivilege
Answer : Deleted File? user or system?
The company providing the co-location is your hosting ISP. Ask them if they do anything to prevent IP address spoofing [of your assigned addresses].
Random Solutions
Error: "The site <sitename> could not be found in the Web application SPWebApplication Name=MOSS Parent=SPWebService"
Joomla SEF URLs
DataBinding: 'System.Data.Common.DataRe
cordIntern
al' does not contain a property with the name 'IdKeuze'.
Public Desktop Icons not showing in RDP sessions
Small Business Server Crital alerts
Exchange 2010 Rollup 3 Issues
NAT setting and vmware
Slipstream all updates into new wim.image / win 7 install DVD
System Restore Points Not Created on Win 7
Arcserve 11.5 and LTO 5
