我在本地安装了windows server 2012 R2 Essentials,将其用作本地使用的文件共享服务器。 我已经创build了Windows Server Essentials仪表板的用户,也创build了相同的服务器文件夹。 最近有人试图删除/剪切整个文件夹,结果90%的文件夹消失了,一些子文件夹和文件处于部分删除状态。 有没有办法找出哪个域用户做到了?
作为预防措施,我现在更改了文件夹权限,以便域用户不能删除文件夹
除非事先configuration了正确的审计。
For the system: Advanced Audit Policy, Object Access, Audit File System (Success and Failure) For the directory: Advanced Security Settings, Auditing, Everyone - Delete (All) 使用这些configuration,您将看到安全日志中的事件ID 4660 An object was deleted ,事件ID 4663:
An attempt was made to access an object. Subject: Security ID: DOMAIN\USER Object: Object Name: C:\share\one Access Request Information: Accesses: DELETE