Answer the question
In order to leave comments, you need to log in
File deletion auditing when using DFS on Windows 2019 Server?
Hello, we have 2 servers with Windows 2019, and DFS is installed on them with auto-replication to both servers.
As a result, we do not have a normal audit: in the lists for event 4663 (we use an additional filter by mask 0x10000, which presumably corresponds to the DELETE operation) there are files with names like
D:\System Volume Information\DFSR\Private\{ABC…}-{ DEF…}\Installing\Teil-of-name-{123..}-v123456.doc
(this is after removing all files like .log, .tmp and \~$ ). And as the user there is a name of the server.
There are also deletions of entire directories (?!), also with the server name. The ProzessName field is C:\Windows\System32\dfsrs.exe
There are also deletions from specific users, but from them there are several deletions of the same files - these are probably the results of repeated editing of the same file ... At the same time, the ProzessName field is generally empty!
Q: How can deletes be detected when using DFS?
PS On clients connected over the network under the name Disk:\domain name\dfs-shared\folder name , file deletion is almost always not logged. :( Sometimes something similar to the first message \DFSR\Private\{...}\ Installing\..., sometimes D:\foldername\specificname.doc is logged - but no subsequent 4660 message!
PPS Interestingly, when creating and deleting a file (D:\...\Test.txt) in a folder on the server itself using IE, as many as 3 events are registered:
4663 (Test.txt), 4660 (no name), and again 4663 - with the same name Test.txt... why is also unclear.
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question