none
Local machine file auditing, cant get it to work. RRS feed

  • Question

  • Hi,

    We're having issues with a user who seem to be deleting files in a cloud filesharing solution we use, every time this person syncs a folder to their computer. Now, I've already gone through logs on the filesharing solution and determined that files were being deleted from the users local machine. The user claims to have no idea why they're being deleted, and according to said user, they haven't even been at their machines when the deletion started, this I have also corroborated through event logs (user had workstation locked, event id 4800 had been logged prior to deletion and no 4801 (unlock) following it).

    Now, I have in an attempt to further troubleshoot this issue set up Auditing, but it doesn't seem to work as expected.

    Running RSOP/Gpresult both show Audit Object Access as enabled and to audit both success and failure, SACL on the "Sync folder" has been set to audit Delete & Delete Subfolders and files, and principal is set to Everyone,yet, after multiple file deletions nothing is logged.

    I set up a test client and applied the same policy settings and even applied auditing on the entire C:\ drive for Everyone, but I can find not a single event ID of 4660 or 4663 on the machine after deletion was performed, I had verified policy was applied prior to this.

    I haven't been able to find any information that states audit not working on specific versions of Windows 10, but could this be the case? We run Windows 10 Education as I work in academia.

    Kind Regards

    Fredric



    • Edited by FredricD Wednesday, January 10, 2018 8:21 AM fix title
    Monday, January 8, 2018 11:01 AM

All replies

  • Hi,

    I found an article may give you some ideas, please refer to the link:

    My files are missing. How do I get them back?

    https://www.sync.com/help/my-files-are-missing-how-do-i-get-them-back/

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 9, 2018 4:12 AM
    Moderator
  • I honestly have no idea why you'd link an article on how to restore deleted files from a file-sharing service called Sync when my question has no relation to it. This is regarding Object Access auditing in Windows 10.
    Tuesday, January 9, 2018 7:33 AM