locked
how can track who deleted file/folder from Windows Server 2008 RRS feed

  • Question

  • some one delete file from server 2008 shared folder.

    I want to track who deleted this file/folder.

    Any comment highly appreciate.

    Rgd

    Arvind


    Arvind

    Saturday, September 8, 2012 11:38 AM

Answers

  • You first will need to turn on auditing, from either local policies, or domain policies and apply it to the machine you want to audit. Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.

    GPEDIT:

    Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access

    You can turn on success, because if they don't have access to delete things then it would create a failure, so you dont want to monitor those events.

    Once that is in place, go to the folder you want to monitor, right click and go to properties

    Click the security tab --> Advanced --> Auditing Tab --> Edit --> Add --> then add the group that has access to that folder --> Select the events you want to audit and click OK --> Select Replace all existing inheritable audit entries, to appply the audit on all sub folders and files and click OK

    You are now auditing that folder. You will need to monitor the event logs for the particular events, a quick bing or google search should give you the event ID #'s you want to monitor for.


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Saturday, September 8, 2012 1:29 PM
  • Hi,

    The steps provided by clayman2 should be correct. Please make sure that 2 steps (group policy and config in Security tab) are both applied.

    Here are 2 more threads about this question:

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/dd0f78d0-e39c-4ea6-9087-9250694b9a90/

    http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/da689e43-d51d-4005-bc48-26d3c387e859


    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

    Tuesday, September 11, 2012 7:45 AM

All replies

  • You first will need to turn on auditing, from either local policies, or domain policies and apply it to the machine you want to audit. Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.

    GPEDIT:

    Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access

    You can turn on success, because if they don't have access to delete things then it would create a failure, so you dont want to monitor those events.

    Once that is in place, go to the folder you want to monitor, right click and go to properties

    Click the security tab --> Advanced --> Auditing Tab --> Edit --> Add --> then add the group that has access to that folder --> Select the events you want to audit and click OK --> Select Replace all existing inheritable audit entries, to appply the audit on all sub folders and files and click OK

    You are now auditing that folder. You will need to monitor the event logs for the particular events, a quick bing or google search should give you the event ID #'s you want to monitor for.


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Saturday, September 8, 2012 1:29 PM
  • in which event viewer option these logs comes, i tried all above setting and delete on folder

    and check logs but no logs found.


    Arvind

    Saturday, September 8, 2012 3:31 PM
  • I believe security, look for even ID's 4663 and 4656, those should log the deletion of an object. If not you may not have thigns configured properly


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.


    • Edited by clayman2 Sunday, September 9, 2012 2:45 AM
    • Proposed as answer by __S_ Tuesday, January 27, 2015 1:06 AM
    Sunday, September 9, 2012 2:45 AM
  • every thing configure correctly and only 4634 and 4624 events comes in security

    secondly we again tried to delete file still no event comes


    Arvind

    • Proposed as answer by Sniffadog Wednesday, November 1, 2017 4:51 AM
    • Unproposed as answer by Sniffadog Wednesday, November 1, 2017 4:51 AM
    Monday, September 10, 2012 6:28 AM
  • i try to do below settings

    Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access

    but after some time settings automatically removed.

    it is windows server 2008 R2, domain controller.


    Arvind

    Monday, September 10, 2012 6:37 AM
  • After configuring the policy itself, you went ahead and configured auditing on the folder/files you want to monitor?


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Monday, September 10, 2012 1:30 PM
  • Hi,

    The steps provided by clayman2 should be correct. Please make sure that 2 steps (group policy and config in Security tab) are both applied.

    Here are 2 more threads about this question:

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/dd0f78d0-e39c-4ea6-9087-9250694b9a90/

    http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/da689e43-d51d-4005-bc48-26d3c387e859


    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

    Tuesday, September 11, 2012 7:45 AM
  • Guys,

    I have got your point regarding the auditing and file accesses now I want to know whether is there is any way to get a mail, notification or any kind of alert I can get automatically where if any one deletes any file from the defined and enabled auditing folder...?

    • Proposed as answer by Kolapo Friday, August 8, 2014 10:55 AM
    Thursday, July 31, 2014 6:31 AM
  • To get automatic email alerts on predetermined access events (such as a file deletion, access denied, specific user or file access etc) then you'll need to look a a third party software solution FileAudit.

    http://www.isdecisions.com/products/fileaudit/

    FileAudit makes monitoring and auditing access (and access attempts) to files and folders across your Windows File Systems easy. A simple, agentless deployment means you can quickly start protecting all the servers in your Windows environment. 

    Hope this helps you.

    Friday, August 1, 2014 8:52 AM
  • i tried above

    in windiws server std R2 we have a domain,

    when i delted a file in d drive and looked at the event viewer.in event viewer under user name it still displays user as "administrator" . the file was actually deleted by user "lms1"

    a response will be appreciated

    rgds,

    R N Murthy

    Thursday, November 10, 2016 12:40 PM