Track File Deletions and Permission Changes on Windows File Servers
You can track who deleted files or folders on Windows File Servers, and also track who changed permissions on files and folders through native auditing. This task can be done for multiple file servers in your network by enabling object access auditing through GPO, and then configuring auditing on the required files and folders that you want to audit. Administrators, after that, can easily track these events in Windows security logs. You will have to follow these three steps:
- Enable ‘Audit Object Access’ through GPO.
- Configure auditing on every file and folder on file servers that you want to audit.
- Track file and folders deletion/permission change events in Windows Security logs through event viewer.
Step 1 – Enable “Audit Object Access”
Perform the following steps to enable this group policy.
- On the primary domain controller, open “Group Policy Management”.
- You have to edit either “Default Domain Policy” or create a new domain level policy and link it.
- Edit the default or a customized Group Policy to access “Group Policy Management Editor”.
- Go to “Computer Configuration” → “Windows Settings” → “Security Settings” → “Local Policies” → “Audit Policy” → “Audit object Access”.
- Double-click this policy to open “Properties” window
- Click “Define these policy settings” checkbox.
- Now, click “Success” and “Failure” under “Audit these attempts”.
- Click “Apply” and “OK”.
- Close “Group Policy Management Editor” and “Group Policy Management Console”.
Step 2 – Enable Auditing of Files and Folders
Perform the following steps to enable the auditing of selected files or folders.
- In Windows File System, use Windows Explorer to select the folder that you want to audit.
- Right-click it and select “Properties”.
- Go to “Security” tab.
- Click “Advanced” to access “Advanced Security Settings”. In “Advanced Security Settings” window, go to “Auditing” tab. It displays the existing auditing entries (if there are any).
- To add a new entry, click “Add”. “Auditing Entry” window appears on the screen.
- Click “Select a Principal” to select users whose activities you want to track. If you want to audit all users’ activities, enter “Everyone” in “Enter the object name” box.
- Click “Check Names” to verify the provided input.
- Click “OK” to select the object. It takes you back to “Auditing Entry” window.
- In “Type” field, select “Success”,” Fail”, or “All”.
- In “Applies to” field, select “This folder, subfolder, and files”. Then, all the subfolders and files within this folder will be tracked.
- Click “Show advanced permission” option in the permissions section to view all the permissions.
- Here, select the activities that you want to audit. For tracking file deletion and permissions change, you will have to select “Change permissions”, “Delete”, and “Delete subfolders and files” options.
- Click “OK” to close “Auditing Entry” window. It takes you back to “Auditing” tab of advanced security settings, which now displays the newly added user.
- Click “Apply” and “OK” in “Advanced Security Setting” window.
- Click “Apply” and “OK” to close the folder properties.
Step 3 – View the Events
Now, open Windows Event Viewer and go to “Windows Logs” → “Security”. Use the “Filter Current Log” option to find events having IDs 4660 (file/folder deletions) and IDs 4670 (permission changes).
In the following image, you can see the event id 4660 which has been logged after a folder has been deleted. However, object’s name is not visible. In the next image, you can see the objects name as well which has been logged at the same time.
The delete event ID 4660 does not contain the object name, so you have to view event ID 4663 to get that information. In the following image, which shows event 4663 (folder delete event), the object name (C:\Documents\Projects) is also visible.
Here, you can see that time to log the both event IDs 4660 and 4663 is same.
In the following image, you can see the permission change event (event id 4670).
In the following image, the information was scrolled down to show the name of object of which permissions were changed.
LepideAuditor for File Server
You can use LepideAuditor for File Server to track file and folder deletions and permission changes much effortlessly. The following image shows files and folders deletion report. You can see all necessary information related to files and folders deletion in a single line record.
The highlighted record, which shows “Projects” in the “Object Name” column shows the same event in LepideAuditor for File Server.
The following screenshot shows “All Permission Modifications”. All necessary information like who changed which permission, when and where is given in a single line record. These reports are available both in grid view and graph view.
Here, you can see the above-shown permission change event (“Documents” permission) in the LepideAuditor for File Server.
In this article, you have seen how to track files and folders deletion and permission changes. You have also seen an easier alternative of doing the same with LepideAuditor for File Server. Our solution gives you predefined reports to track files and folders deletion and permission changes.