Difference between revisions of "StableBit DrivePool Q7965944"
From Covecube - Wiki
(→Steps) |
(→Steps) |
||
Line 15: | Line 15: | ||
# Navigate to '''Local Policies''' -> '''Audit Policy'''. | # Navigate to '''Local Policies''' -> '''Audit Policy'''. | ||
# Double click on '''Audit object access'''. | # Double click on '''Audit object access'''. | ||
− | # Check '''Success''' and click | + | # Check '''Success''' and click '''OK'''. |
− | # Now open up '''Windows Explorer'''. | + | # Now open up '''Windows Explorer''' to the view that lists all of your hard drives. |
# Right click on any pool drive letter that you want to audit and click '''Properties''', | # Right click on any pool drive letter that you want to audit and click '''Properties''', | ||
# Open the '''Security''' tab and click '''Advanced'''. | # Open the '''Security''' tab and click '''Advanced'''. |
Revision as of 19:03, 3 April 2013
When to Use
If one or more files that should be on the pool have vanished, and you don't know why.
Files can disappear from the pool for a number of reasons:
- Make sure that you have no missing disks, and that all the disks part of the pool are accessible and responsive.
- Make sure that the NTFS file system is not damaged on each disk that is part of the pool. You can do this from Windows Explorer, Right click on the disk -> Properties -> Tools -> Check now....
- Someone or some application has deleted those files. This is the point that we're going to address in this article.
In order to record every file deletion, and who or what was responsible, we can use the built-in auditing capabilities in Windows.
Steps
- Follow: Q7200705
- From the Start menu open Local Security Policy (type it).
- Navigate to Local Policies -> Audit Policy.
- Double click on Audit object access.
- Check Success and click OK.
- Now open up Windows Explorer to the view that lists all of your hard drives.
- Right click on any pool drive letter that you want to audit and click Properties,
- Open the Security tab and click Advanced.
- Navigate to the Auditing tab and click Edit....
- Click Add... and type in Everyone then click OK.
- In the dialog that pops up, check the Successful check box for Delete and Delete subfolders and files.
- Click OK through on all the dialogs that are open to apply your settings.
- Click Continue if you see an Access is denied warning for the System Volume Information folder. This is normal.
Now your Windows machine is recording every single delete that you or some application does on the pool. If you even need to find out why a file is missing, just consult the event log.
How to consult the event log
- Follow: Q7200705
- From the Start menu open Event Viewer (type it).
- Navigate to Windows Logs -> Security.
- Click Filter Current Log... on the right.
- Under where it says <All Event IDs> type in 4663 (Event ID 4663 is a file deletion).
Now you will see a list of all recent file deletions, when the deletion took place, which user (or application) initiated the deletion.
Increasing log file size
While you've got the even viewer open, it might be a good idea to increase the log file size in order to be able to log older file deletions.
- Follow: Q7200705
- From the Start menu open Event Viewer (type it).
- Navigate to Windows Logs -> Security.
- Click Properties on the right.
- Increase the Maximum log size to something larger. By default it's set to 20480 KB (which is 20 MB), you may want to increase that up to 102400 KB (which is 100 MB).
- Click OK.