Audit File and Folder Deletion on Windows File Servers

Easily Audit Who Deleted Files and Folders with Lepide File Server Auditor
Or Deploy With Our Virtual Appliance
5 min read | Updated On - April 18, 2023
In This Article

Tracking who deleted files or folders on Windows File Servers is a vital part of both security and IT operations. If users are deleting files that contain sensitive information, they might be trying to hide something. Likewise, if important files are deleted, it could result in disruption to the business.

Either way, it’s important that you can audit file and folder deletion on File Server.

File and folder deletion auditing can be done for multiple file servers in your network by enabling object access auditing through GPO and then configuring auditing on the required files and folders that you want to audit.

Administrators, after that, can easily track these events in Windows security logs. You will have to follow these three steps:

  1. Enable “Audit Object Access” through GPO.
  2. Enable Auditing of Files and Folders
  3. Track File and Folder Deletion Events in Event Viewer

Step 1 – Enable “Audit Object Access”

Perform the following steps to enable this group policy.

  • On the primary domain controller, open “Group Policy Management”.
  • You have to edit either “Default Domain Policy” or create a new domain level policy and link it.
  • Edit the default or a customized Group Policy to access “Group Policy Management Editor”.
  • Go to “Computer Configuration” – “Windows Settings” – “Security Settings” – “Local Policies” – “Audit Policy” – “Audit object Access”.
    Figure 1: Audit Object Access
  • Double-click this policy to open “Properties” window
    Figure 2: Properties of Audit Object Access
  • Click the “Define these policy settings” checkbox.
  • Now, click “Success” and “Failure” under “Audit these attempts”.
  • Click “Apply” and “OK”.
  • Close “Group Policy Management Editor” and “Group Policy Management Console”.

Step 2 – Enable Auditing of Files and Folders

Perform the following steps to enable the auditing of selected files or folders.

  • In Windows File System, use Windows Explorer to select the folder that you want to audit.
  • Right-click it and select “Properties”.
  • Go to the “Security” tab.
    Figure 3: “Security” Tab of Folder Properties
  • Click “Advanced” to access “Advanced Security Settings”. In the “Advanced Security Settings” window, go to the “Auditing” tab. It displays the existing auditing entries (if there are any).
    Figure 4: “Auditing” tab in “Advanced Security Settings.”
  • To add a new entry, click “Add”. “Auditing Entry” window appears on the screen.
    Figure 5: Configuring auditing entry

    Note: You can select ‘Change Permissions’ if you want to audit permissions changes. Learn more

  • Click “Select a Principal” to select users whose activities you want to track. If you want to audit all users’ activities, enter “Everyone” in the “Enter the object name” box.
    Figure 6: Select users for auditing
  • Click “Check Names” to verify the provided input.
  • Click “OK” to select the object. It takes you back to the “Auditing Entry” window.
  • In “Type” field, select “Success”,” Fail”, or “All”.
  • In the “Applies to” field, select “This folder, subfolder, and files”. Then, all the subfolders and files within this folder will be tracked.
  • Click the “Show advanced permission” option in the permissions section to view all the permissions.
  • Here, select the activities that you want to audit. For tracking file and folder deletion, you will have to select the “Delete”, and “Delete subfolders and files” options.
  • Click “OK” to close “Auditing Entry” window. It takes you back to the “Auditing” tab of advanced security settings, which now displays the newly added user.
  • Click “Apply” and “OK” in “Advanced Security Setting” window.
  • Click “Apply” and “OK” to close the folder properties.

Step 3 – View the Events for Deleted Files and Folders in Event Viewer

Now, open Windows Event Viewer and go to “Windows Logs” – “Security”. Use the “Filter Current Log” option to find events having Events ID 4660 for file and folder deletions.

In the following image, you can see the event id 4660 which has been logged after a folder has been deleted. However, the object’s name is not visible. In the next image, you can see the objects name as well which has been logged at the same time.

Figure 7: An object delete event (4660) is logged

The delete event ID 4660 does not contain the object name, so you have to view event ID 4663 to get that information. In the following image, which shows event 4663 (folder delete event), the object name (C:\Documents\Projects) is also visible.

Figure 8: Folder delete event (4663)

Here, you can see that time to log both event IDs 4660 and 4663 is the same.

How Lepide File Server Auditor Tracks Files and Folders Deletion

As we’ve seen from the above, tracking file and folder deletion in File Server using native auditing is cumbersome, error-prone, and lacks critical audit information.

Thankfully, there’s a better way.

Lepide File Server Auditor effortlessly tracks file and folder deletions with proactive and continuous monitoring. The following image shows the files and folders deletion report. You can see all necessary information related to files and folders deletion is displayed in a single line record.

Figure 11: File and Folder deletion report

The highlighted record, which shows “Projects” in the “Object Name” column shows the same event in Lepide File Server Auditor.

So, when it comes to tracking file and folder deletion, native auditing clearly doesn’t provide as much value as Lepide File Server Auditor. Don’t believe us? Start your own free trial today by filling in the form below:

Check out our Lepide File Server Auditor
Or Deploy With Our Virtual Appliance
Learn More

Easily Audit Who Deleted Files and Folders with Lepide File Server Auditor

Or Deploy With Our Virtual Appliance
Learn More