You can track who deleted files or folders on Windows File Servers through native auditing. This task can be done for multiple file servers in your network by enabling object access auditing through GPO and then configuring auditing on the required files and folders that you want to audit. Administrators, after that, can easily track these events in Windows security logs. You will have to follow these three steps:
- Enable “Audit Object Access” through GPO.
- Enable Auditing of Files and Folders
- Track File and Folder Deletion Events in Event Viewer
Step 1 – Enable “Audit Object Access”
Perform the following steps to enable this group policy.
- On the primary domain controller, open “Group Policy Management”.
- You have to edit either “Default Domain Policy” or create a new domain level policy and link it.
- Edit the default or a customized Group Policy to access “Group Policy Management Editor”.
- Go to “Computer Configuration” – “Windows Settings” – “Security Settings” – “Local Policies” – “Audit Policy” – “Audit object Access”.
- Double-click this policy to open “Properties” window
- Click “Define these policy settings” checkbox.
- Now, click “Success” and “Failure” under “Audit these attempts”.
- Click “Apply” and “OK”.
- Close “Group Policy Management Editor” and “Group Policy Management Console”.
Step 2 – Enable Auditing of Files and Folders
Perform the following steps to enable the auditing of selected files or folders.
- In Windows File System, use Windows Explorer to select the folder that you want to audit.
- Right-click it and select “Properties”.
- Go to “Security” tab.
- Click “Advanced” to access “Advanced Security Settings”. In “Advanced Security Settings” window, go to “Auditing” tab. It displays the existing auditing entries (if there are any).
- To add a new entry, click “Add”. “Auditing Entry” window appears on the screen.
Note: You can select ‘Change Permissions’ if you want to audit permissions changes. Learn more
- Click “Select a Principal” to select users whose activities you want to track. If you want to audit all users’ activities, enter “Everyone” in “Enter the object name” box.
- Click “Check Names” to verify the provided input.
- Click “OK” to select the object. It takes you back to “Auditing Entry” window.
- In “Type” field, select “Success”,” Fail”, or “All”.
- In “Applies to” field, select “This folder, subfolder, and files”. Then, all the subfolders and files within this folder will be tracked.
- Click “Show advanced permission” option in the permissions section to view all the permissions.
- Here, select the activities that you want to audit. For tracking file and folder deletion, you will have to select the “Delete”, and “Delete subfolders and files” options.
- Click “OK” to close “Auditing Entry” window. It takes you back to “Auditing” tab of advanced security settings, which now displays the newly added user.
- Click “Apply” and “OK” in “Advanced Security Setting” window.
- Click “Apply” and “OK” to close the folder properties.
Step 3 – View the Events for Deleted Files and Folders in Event Viewer
Now, open Windows Event Viewer and go to “Windows Logs” – “Security”. Use the “Filter Current Log” option to find events having Events ID 4660 for file and folder deletions.
In the following image, you can see the event id 4660 which has been logged after a folder has been deleted. However, object’s name is not visible. In the next image, you can see the objects name as well which has been logged at the same time.
The delete event ID 4660 does not contain the object name, so you have to view event ID 4663 to get that information. In the following image, which shows event 4663 (folder delete event), the object name (C:\Documents\Projects) is also visible.
Here, you can see that time to log the both event IDs 4660 and 4663 is same.
How Lepide File Server Auditor Tracks Files and Folders Deletion
You can use Lepide File Server Auditor to track file and folder deletions much effortlessly. The following image shows the files and folders deletion report. You can see all necessary information related to files and folders deletion in a single line record.
The highlighted record, which shows “Projects” in the “Object Name” column shows the same event in Lepide File Server Auditor.
In this article, you have seen how to track files and folders deletion. You have also seen an easier alternative of doing the same with Lepide File Server Auditor. Our solution gives you predefined reports to track files and folder deletion.