Occasionally, someone deletes a particular important document or folder with a bunch of documents, resulting in a mission-critical data loss.Considering the described incident, few questions immediatelly arise: In Windows OSs, there is an Auditing subsystem built-in, that is capable of logging data about file and folder deletion, as well as user name and executable name that was used to perform an action.In my working experience, several companies have dealt with deletion on purpose.The typical scenario was: the employee disgrunted with a contract break decided to remove all his work results and deleted his/her home folder content as well as all the shared documents he/she was intended to work with.For instance, during Save command execution Microsoft Office suite software first creates a new temporary file, saves document to it, then deletes the original document from disk.
Thus, information about any user having deleted a watched object is to be captured and stored to the event log.
A systems administrator is to be ready and prepared to address such issues.
In most companies there are departments like Project Managers, Accountants, Developers and other employee categories that collaborate and work together with groups of documents being stored in some shared folders on a fileserver or possibly workstations.
When the situation comes to the question, log on to the required computer, click Start → Run and launch MMC console. It is highly possible that not only the required events are logged.
Right-click event log and select the View → Filter command.
Such an activity is very likely to be noticed in event logs because it generates tens and even hundreds successful Object Access records in a second.