我在本地安装了 Windows Server 2012 R2 Essentials,将其用作本地使用的文件共享服务器。我使用 Windows Server Essentials 仪表板创建了用户,还使用仪表板创建了服务器文件夹。最近有人尝试删除/剪切整个文件夹,结果 90% 的文件夹都不见了,一些子文件夹和文件处于部分删除状态。有没有办法找出哪个域用户做了这件事?
作为预防措施,我现在确实更改了文件夹权限,以便域用户无法删除文件夹
答案1
除非事先配置了适当的审计。
For the system:
Advanced Audit Policy, Object Access, Audit File System (Success and Failure)
For the directory:
Advanced Security Settings, Auditing, Everyone - Delete (All)
配置完成后,您会An object was deleted在安全日志中看到事件 ID 4660 和事件 ID 4663:
An attempt was made to access an object.
Subject:
Security ID: DOMAIN\USER
Object:
Object Name: C:\share\one
Access Request Information:
Accesses: DELETE