Folder Level/User Auditing

Posted on 2008-11-05
Last Modified: 2013-12-04
We had someone or something come in and delete a bunch of our production data last night. I am recovering it, but I wanted to see how to set up a folder level audit so that it records in the Event Viewer.

This is what I am doing:

Log into "Server"

1. Turn the auditing system on. Click Start  > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.

2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"

3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK

4. Exit the Group policy Editor

5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing

6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.

7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.

8. Select the "actions" you want to audit > OK >OK >OK

Audited Events will now be displayed in the event viewer > security log

I set the folder with the Audit Policy, but for some reason in the Event Viewer all I am getting is "Object Access" category entries. I am looking for more specific things like.

User A deleted this file/folder on whatever date.....   Is this even possible?
Question by:surftech
    LVL 31

    Expert Comment

    by:Toni Uranjek

    You have to examine the contents of record. When user deletes an object an event with ID 564 should be recorded.


    Author Comment

    Right but what I am looking for is who deleted an object.
    LVL 31

    Expert Comment

    by:Toni Uranjek
    If event 564 does not contain username, open nearest 560 event which should contain username.

    Author Comment

    Here is my scenario.

    I have about 10 servers. On each server of those 10 is a root folder in which users place and process data. I want to be able to view events based off of those root folder in the security tab of each server in which entries will log who created a folder and who deleted a folder, with the user name.

    Right now I can only get 3 of the Categories. Object Access, Logon/Logoff, Policy change. I need the Delete or Create category to display with the username who deleted it...

    A screen shot is attached.


    Author Comment

    And you can see that the 1 entry has the user name "lauro" that is my username. I would like that for all my users for Create and Delete entries. But I cant seem to accomplish that...
    LVL 31

    Accepted Solution

    You can use filtering, right click Security log and selectView, Filter... or you can export events in csv format and examine them with Excel.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now