We help IT Professionals succeed at work.
Get Started
Folder Level/User Auditing
We had someone or something come in and delete a bunch of our production data last night. I am recovering it, but I wanted to see how to set up a folder level audit so that it records in the Event Viewer.
This is what I am doing:
Log into "Server"
1. Turn the auditing system on. Click Start > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.
2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"
3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK
4. Exit the Group policy Editor
5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing
6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.
7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.
8. Select the "actions" you want to audit > OK >OK >OK
Audited Events will now be displayed in the event viewer > security log
I set the folder with the Audit Policy, but for some reason in the Event Viewer all I am getting is "Object Access" category entries. I am looking for more specific things like.
User A deleted this file/folder on whatever date..... Is this even possible?
This is what I am doing:
Log into "Server"
1. Turn the auditing system on. Click Start > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.
2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"
3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK
4. Exit the Group policy Editor
5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing
6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.
7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.
8. Select the "actions" you want to audit > OK >OK >OK
Audited Events will now be displayed in the event viewer > security log
I set the folder with the Audit Policy, but for some reason in the Event Viewer all I am getting is "Object Access" category entries. I am looking for more specific things like.
User A deleted this file/folder on whatever date..... Is this even possible?
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE