Audit File Deletion on Server 2012

We often get complaints that important files have been “deleted” from Shared folders that will need restoring.  Restoring them from backups, or even from Previous Versions, is easy, but sometimes you need to know who removed the file, or when the file was removed.  This is when Auditing comes in to play.

The first step is to enable Auditing on the machine in question (in our case, the server where the Shares reside).  To do this  :

  1. On the Server, go to Local Group Policy management.
  2. Browse to Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Audit Policy –> Audit object Access.
  3. Select “Success” in the options screen (unless you want to also log when users have failed to delete items).

Once the policy is set up you then to configure the auditing itself.  To do this:

  1. Go to the Folder that needs monitoring, right click and select Properties.
  2. Click on the Security tab, then go to Security –> Advanced –> Auditing Tab.
  3. Click the Disable Inheritance button if available.
  4. Click Add then select the principal (i.e. the group or users that you want to monitor) and change the Type drop-down to Success.
  5. In the Basic Permissions, select which events you want to audit (in this case they are the deletion events)
  6. Finally, OK out of the menus, watch as the permissions apply and you are good to go.

To view the audited events, open Event Viewer and under Windows logs, choose the Security logs and then set up a filter for even ID 4663.  This will show you the delete events for the folder.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s