Server 2003 - Identify user that deleted a file from share?

[dan__wright]

One of the files on one of our shares disappeared, the thing is this file was tnsnames.ora meaning none of our users could initiate a new connection to any of our databases.

the permissions on this area are:
users = read
'uk admins' = full
system = full

there are 4 of us in the uk admins group (including myself) and none of us moved / deleted this file, i had it back in minutes but thats not the problem, its how the file disappeared!

has anyone see any strange issues like this before? its got to be one of the heaviest accessed files on our network as when ever a pc wants to access an oracle database it looks it up from the file (its a bit like DNS for databases).

is there any logs or anyway to see if someone deleted it or if anything happened to it in order for it to vanish?

server is running Server 2003 Standard SP1, is a DC and GC.
runs DNS, DHCP, WINS, file and print sharing.
AV is symantec AV 10 corp, nothing in quarantine or log to do with this.

system runs on a raid 5 array with no errors from the array so i doubt its something at the disc level.

TIA
Dan

 

[Demon10000]

You know, I've deleted files on accident before... it happens. Someone in your admins group had to do it, as even with full share permissions, read would restrict your users to only being able to read the file.

Of course, someone could have executed the delete command as system... but it's really more likely that someone deleted it on accident.

Without auditing enabled, there really isn't a way to find out who deleted the files. It's times like this when I miss the old Novell servers where you could fire up a utility and undelete a file and identify the user that deleted it.

 

[FalseGod]

I'd go through the system logs and see who logged in as close to when you think the file was deleted as possible. Unless they went in through a share or the administrative share, then you should be able to at least get an idea of who it might have been. If there was someone logged in at the time of the outage, then you might have your culprit.

 

[SpaceHonkey]

Would this help in the future?

http://support.microsoft.com/kb/814595

 

[dan__wright]

i know it wasn't deleted locally from the machine, its always locked as a specific account and there were no logins for that account in the security log,

it will have been via the share or the d$ admin share, we have tripwire but because it was deleted and put back so quickly it wont have picked it up.

i will have a look at the AD audit stuff, we already audit all AD changes but i didnt know you could do it for the File system too, will be useful for future and if we implement it, it will be an acceptable resolution if we are unable to trace what happened.

Thanks
Dan