Learn how to a build a cloud-first strategyRegister Now


Folder Level/User Auditing

Posted on 2008-11-05
Medium Priority
Last Modified: 2013-12-04
We had someone or something come in and delete a bunch of our production data last night. I am recovering it, but I wanted to see how to set up a folder level audit so that it records in the Event Viewer.

This is what I am doing:

Log into "Server"

1. Turn the auditing system on. Click Start  > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.

2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"

3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK

4. Exit the Group policy Editor

5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing

6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.

7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.

8. Select the "actions" you want to audit > OK >OK >OK

Audited Events will now be displayed in the event viewer > security log

I set the folder with the Audit Policy, but for some reason in the Event Viewer all I am getting is "Object Access" category entries. I am looking for more specific things like.

User A deleted this file/folder on whatever date.....   Is this even possible?
Question by:surftech
  • 3
  • 3
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22893083

You have to examine the contents of record. When user deletes an object an event with ID 564 should be recorded.


Author Comment

ID: 22897483
Right but what I am looking for is who deleted an object.
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22897915
If event 564 does not contain username, open nearest 560 event which should contain username.
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.


Author Comment

ID: 22898132
Here is my scenario.

I have about 10 servers. On each server of those 10 is a root folder in which users place and process data. I want to be able to view events based off of those root folder in the security tab of each server in which entries will log who created a folder and who deleted a folder, with the user name.

Right now I can only get 3 of the Categories. Object Access, Logon/Logoff, Policy change. I need the Delete or Create category to display with the username who deleted it...

A screen shot is attached.


Author Comment

ID: 22898172
And you can see that the 1 entry has the user name "lauro" that is my username. I would like that for all my users for Create and Delete entries. But I cant seem to accomplish that...
LVL 31

Accepted Solution

Toni Uranjek earned 2000 total points
ID: 22919679
You can use filtering, right click Security log and selectView, Filter... or you can export events in csv format and examine them with Excel.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question