file deletion/ eventID 4660

Home Forums Server Operating Systems Windows Server 2012 / 2012 R2 file deletion/ eventID 4660

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    All_in_hall
    Member
    #164545
    Hi

    i have a test server 2012 r2 set up with auditing enabled for the deletion of any files or folders, set up in the local policy and on the folder

    i have a powershell script that will trigger in task scheduler on event ID 4660 (object deleted)

    script is:-

    $pcName = “GHSVR2012”
    $Event = Get-Eventlog -log security | where {$_.eventID -eq 4663} | Sort-Object index -Descending | Select-Object -First 1
    $User = $Event.ReplacementStrings[1]
    $Domain = $Event.ReplacementStrings[2]
    $File = $Event.ReplacementStrings[6]
    $MailSubject = “A File has been deleted in the G Drive:”
    $MailBody = “The account Name is :- ” + $Domain + “” + $User + “rn” + “The flie deleted was from :” + $File + “rn” + “Time: ” + $Event.TimeGenerated
    $SmtpClient = New-Object system.net.mail.smtpClient
    $SmtpClient.host = “smtp.xxxxxxxxxxxxxx”
    $MailMessage = New-Object system.net.mail.mailmessage
    $MailMessage.from = “xxxxxxxxxxxxxxxxxx”
    $MailMessage.To.add(“xxxxxxxxxxxxxxxx
    $MailMessage.IsBodyHtml = 0
    $MailMessage.Subject = $MailSubject
    $MailMessage.Body = $MailBody
    $SmtpClient.Send($MailMessage)

    I have everything working apart from one thing:-

    if I delete, say 5 files, called, file 1, file 2, file 3, file 4, file 5,

    the eventlog ID triggers the script to be sent and it will send 5 emails but wont name each file that has been deleted instead it will just give the first file it finds

    e.g the email i receive below:-
    The account Name is :- DomainUser1
    The file deleted was from :C:UsersUser1Documentsfile 1
    Time: 11/17/2014 11:49:35

    any ideas welcome

    cheers

    Gavin
Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.