In my environment, there seems to be a growing problem with users and/or machines being deleted from Endpoint Encryption. Management wants to know what, if any, auditing can be done to see who is doing the deletions. I don't think it is malicious, just a lack of education and comprehension. I am planning to scale back the admin levels on a particular group, but until then, is there a way I can tell who has deleted what object? I have been through the Admin guides and I can see audit codes, but no real way to get any information out of them. I look at the deleted objects, there is only the option of "restore" or "delete". I can't find any other area that might provide this information.
Thanks in advance.
Environment details: EEM version 184.108.40.206
Server OS: Windows Server 2003
Users: Approx. 1600
Systems: Approx. 1500
the audit for the user who deleted the object will have a "delete object" record - you just need to know the object ID.
Simplest thing would be to dump the user audit for all your users and the event 01000085 using the command line api. Then you should be able to search for your object ID (class 1 for user, 2 for machine) and see who did the dirty.