Track File Deletions and Permission Changes on Windows File Servers

by Danny Murphy
Download Lepide File Server Auditor
In This Article

You can track who deleted files or folders on Windows File Servers, and also track who changed permissions on files and folders through native auditing. This task can be done for multiple file servers in your network by enabling object access auditing through GPO, and then configuring auditing on the required files and folders that you want to audit. Administrators, after that, can easily track these events in Windows security logs. You will have to follow these three steps:

  1. Enable “Audit Object Access” through GPO.
  2. Enable Auditing of Files and Folders
  3. Track File Deletion and Permission Changes Events in Event Viewer

Step 1 – Enable “Audit Object Access”

Perform the following steps to enable this group policy.

  • On the primary domain controller, open “Group Policy Management”.
  • You have to edit either “Default Domain Policy” or create a new domain level policy and link it.
  • Edit the default or a customized Group Policy to access “Group Policy Management Editor”.
  • Go to “Computer Configuration” – “Windows Settings” – “Security Settings” – “Local Policies” – “Audit Policy” – “Audit object Access”.
    Figure 1: Audit Object Access
  • Double-click this policy to open “Properties” window
    Figure 2: Properties of Audit Object Access
  • Click “Define these policy settings” checkbox.
  • Now, click “Success” and “Failure” under “Audit these attempts”.
  • Click “Apply” and “OK”.
  • Close “Group Policy Management Editor” and “Group Policy Management Console”.

Step 2 – Enable Auditing of Files and Folders

Perform the following steps to enable the auditing of selected files or folders.

  • In Windows File System, use Windows Explorer to select the folder that you want to audit.
  • Right-click it and select “Properties”.
  • Go to “Security” tab.
    Figure 3: “Security” Tab of Folder Properties
  • Click “Advanced” to access “Advanced Security Settings”. In “Advanced Security Settings” window, go to “Auditing” tab. It displays the existing auditing entries (if there are any).
    Figure 4: “Auditing” tab in “Advanced Security Settings.”
  • To add a new entry, click “Add”. “Auditing Entry” window appears on the screen.
    Figure 5: Configuring auditing entry
  • Click “Select a Principal” to select users whose activities you want to track. If you want to audit all users’ activities, enter “Everyone” in “Enter the object name” box.
    Figure 6: Select users for auditing
  • Click “Check Names” to verify the provided input.
  • Click “OK” to select the object. It takes you back to “Auditing Entry” window.
  • In “Type” field, select “Success”,” Fail”, or “All”.
  • In “Applies to” field, select “This folder, subfolder, and files”. Then, all the subfolders and files within this folder will be tracked.
  • Click “Show advanced permission” option in the permissions section to view all the permissions.
  • Here, select the activities that you want to audit. For tracking file deletion and permissions change, you will have to select “Change permissions”, “Delete”, and “Delete subfolders and files” options.
  • Click “OK” to close “Auditing Entry” window. It takes you back to “Auditing” tab of advanced security settings, which now displays the newly added user.
  • Click “Apply” and “OK” in “Advanced Security Setting” window.
  • Click “Apply” and “OK” to close the folder properties.

Step 3 – View the Events

Now, open Windows Event Viewer and go to “Windows Logs” – “Security”. Use the “Filter Current Log” option to find events having IDs 4660 (file/folder deletions) and IDs 4670 (permission changes).

In the following image, you can see the event id 4660 which has been logged after a folder has been deleted. However, object’s name is not visible. In the next image, you can see the objects name as well which has been logged at the same time.

Figure 7: An object delete event (4660) is logged

The delete event ID 4660 does not contain the object name, so you have to view event ID 4663 to get that information. In the following image, which shows event 4663 (folder delete event), the object name (C:\Documents\Projects) is also visible.

Figure 8: Folder delete event (4663)

Here, you can see that time to log the both event IDs 4660 and 4663 is same.

In the following image, you can see the permission change event (event id 4670).

Figure 9: Permission change event

In the following image, the information was scrolled down to show the name of object of which permissions were changed.

Figure 10: Permission change event of “Documents” folder

How Lepide File Server Auditor Tracks File Deletion and Permission Changes

You can use Lepide File Server Auditor (part of Lepide Data Security Platform) to track file and folder deletions and permission changes much effortlessly. The following image shows files and folders deletion report. You can see all necessary information related to files and folders deletion in a single line record.

Figure 11: File and Folder deletion report

The highlighted record, which shows “Projects” in the “Object Name” column shows the same event in Lepide File Server Auditor.

The following screenshot shows “All Permission Modifications”. All necessary information like who changed which permission, when and where is given in a single line record. These reports are available both in grid view and graph view.

Figure 12: All permissions modification report

Here, you can see the above-shown permission change event (“Documents” permission) in the Lepide File Server Auditor.

In this article, you have seen how to track files and folders deletion and permission changes. You have also seen an easier alternative of doing the same with Lepide File Server Auditor. Our solution gives you predefined reports to track files and folders deletion and permission changes.

Download Lepide File Server Auditor