For the past two days a user on the network has had the contents of their user area deleted. I am trying to determine why these files are being removed but have had no luck so far as there isn't any information to work on. I would like to use Auditing to log all the activity on that users area. I have enabled every success and failure audit for directory auditing on the users main directory, I have set it up to use the "Everyone" "SYSTEM" and "Administrators" users and group. I enabled "File and object access" auditing in user manager for domains on the domain the BDC operates in. However, even though the auditing appears to be setup I am not receiving any messages when I change files in the audited folder. I believe I need to enable auditing on the local machine and not for the domain. I tried to log onto the BDC locally but was unable to do so. I only had the option of logging on to the domain so tried logging on to COMPUTERNAME\username but it would not log in. I tried this with both a global user and a user I had setup on the local computer. When applying auditing in user manager for domains I changed the computer to the BDC but it told me it was part of a domain and set it's focus on the domain. I am receiving messages in the event log on the PDC regarding "File and object access" but they are not events for the directory I have setup auditing on. I am logging on as an administrator. The PDC and BDC have definitely had a chance to replicate. I feel as though I am missing a step but I have not been able to find any information on the internet covering my problem. If anyone could offer any advice it would be greatly appreciated. Regards Neil Knapp Below follows a basic summary of what I have done to try and audit the user directory. 1) Change directory security properties to audit all success and failure events on the BDC. 2) Enable "File and object access" auditing in user manager (replicates to both DC's) 3) Check the "Security" category in event log for audit messages. Receiving unrelated object access messages on the PDC event log but nothing on the bDC. Am I missing anything?