Daniel Booker
asked on
Server 2012 R2 audit file/folder deletion
I am running Server 2012 R2.
My goal here is to find out what file/folder and who has deleted it in my given audited folder.
Here is what i have done.
I ran GPEDIT.MSC > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object Access > Checked the box for success
Once that is in place, I went to the folder I wanted to monitor, right click and went to properties.
Clicked the security tab > Advanced > Auditing Tab > Add > then added the "Everyone" security group to the folder > Selected "Show advanced permissions" > Checked "Delete subfolders and files" and "Delete". I left the default for type: Success and applies to: "This folder, subfolders and files".
I than ran gpupdate and then preceded to delete a couple items in the audit folder. I can not find any events were I went to my folder that I just put the audit on above in the security event viewer. Did i do something wrong... also would be nice if i knew what event ID correlated with an object being deleted. That way I can create a custom view to make life easier when I am looking.
My goal here is to find out what file/folder and who has deleted it in my given audited folder.
Here is what i have done.
I ran GPEDIT.MSC > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object Access > Checked the box for success
Once that is in place, I went to the folder I wanted to monitor, right click and went to properties.
Clicked the security tab > Advanced > Auditing Tab > Add > then added the "Everyone" security group to the folder > Selected "Show advanced permissions" > Checked "Delete subfolders and files" and "Delete". I left the default for type: Success and applies to: "This folder, subfolders and files".
I than ran gpupdate and then preceded to delete a couple items in the audit folder. I can not find any events were I went to my folder that I just put the audit on above in the security event viewer. Did i do something wrong... also would be nice if i knew what event ID correlated with an object being deleted. That way I can create a custom view to make life easier when I am looking.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
4660 tells you that a user has deleted an object but does not tell you the file name + location.
4663 tells you that a file was attempted to be deleted. It also throws out a lot of extra events like synchronize and other junk that is not import.
So basically if I find 4660 event then look to the event right before it 4663 i will find exactly what I am looking for.