Difference between revisions of "StableBit DrivePool Q7965944"

From Covecube - Wiki
(Created page with "Audit file deletions ==When to Use== If one or more files that should be on the pool have vanished, and you don't know why. Files can disappear from the pool for a number of re...")
 
Line 1: Line 1:
Audit file deletions
 
 
 
==When to Use==
 
==When to Use==
 
If one or more files that should be on the pool have vanished, and you don't know why.
 
If one or more files that should be on the pool have vanished, and you don't know why.
Line 10: Line 8:
 
* Someone or some application has deleted those files. This is the point that we're going to address in this article.
 
* Someone or some application has deleted those files. This is the point that we're going to address in this article.
  
In order to record every file deletion, and or what was responsible, we can use the built-in auditing capabilities in Windows.
+
In order to record every file deletion, and or who what was responsible, we can use the built-in auditing capabilities in Windows.
  
 
==Steps==
 
==Steps==
 
# Follow: [[StableBit_DrivePool_Q7200705|Q7200705]]
 
# Follow: [[StableBit_DrivePool_Q7200705|Q7200705]]
 
# From the Start menu open '''Local Security Policy''' (type it).
 
# From the Start menu open '''Local Security Policy''' (type it).
 +
# Navigate to '''Local Policies''' -> '''Audit Policy'''.
 +
# Double click on ''Audit object access''.
 +
# Check '''Success''' and click ok.
 +
# Now open up '''Windows Explorer'''.
 +
# Right click on any pool drive letter that you want to audit and click '''Properties''',
 +
# Open the '''Security''' tab and click '''Advanced'''.
 +
# Navigate to the '''Auditing''' tab and click '''Edit...'''.
 +
# Click '''Add...''' and type in '''Everyone''' then click '''OK'''.
 +
# In the dialog that pops up, check the '''Successful''' check box for '''Delete''' and '''Delete subfolders and files'''.
 +
# Click '''OK''' through on all the dialogs that are open to apply your settings.
 +
# Click '''Continue''' if you see an '''Access is denied''' warning for the '''System Volume Information''' folder. This is normal.
 +
 +
Now your Windows machine is recording every single delete that you or some application does on the pool. If you even need to find out why a file is missing, just consult the event log.
 +
 +
===How to consult the event log===

Revision as of 19:02, 2 April 2013

When to Use

If one or more files that should be on the pool have vanished, and you don't know why.

Files can disappear from the pool for a number of reasons:

  • Make sure that you have no missing disks, and that all the disks part of the pool are accessible and responsive.
  • Make sure that the NTFS file system is not damaged on each disk that is part of the pool. You can do this by Right clicking on the disk -> Properties -> Tools -> Check now....
  • Someone or some application has deleted those files. This is the point that we're going to address in this article.

In order to record every file deletion, and or who what was responsible, we can use the built-in auditing capabilities in Windows.

Steps

  1. Follow: Q7200705
  2. From the Start menu open Local Security Policy (type it).
  3. Navigate to Local Policies -> Audit Policy.
  4. Double click on Audit object access.
  5. Check Success and click ok.
  6. Now open up Windows Explorer.
  7. Right click on any pool drive letter that you want to audit and click Properties,
  8. Open the Security tab and click Advanced.
  9. Navigate to the Auditing tab and click Edit....
  10. Click Add... and type in Everyone then click OK.
  11. In the dialog that pops up, check the Successful check box for Delete and Delete subfolders and files.
  12. Click OK through on all the dialogs that are open to apply your settings.
  13. Click Continue if you see an Access is denied warning for the System Volume Information folder. This is normal.

Now your Windows machine is recording every single delete that you or some application does on the pool. If you even need to find out why a file is missing, just consult the event log.

How to consult the event log