Monitor deleted files

Posted on 2009-12-31
Last Modified: 2012-05-08
I have a Windows 2003 file server.  Once every few months an important directory is being deleted.  How to I configure file level monitoring on the directory, so I know who is deleting it?
Question by:magnusthorne
    LVL 35

    Accepted Solution

    Please check out this guide:
    (How to audit File / Directory delete Operations on a Windows System using security auditing.)
    LVL 74

    Expert Comment

    by:Glen Knight
    You need to enable auditing, see here for how:
    LVL 7

    Expert Comment

    How about make the directory itself read only or even read\write but remove the ability to delete it.

    There are ways but not always the easiest to dig up\through; you need to enable auditing:

    right click on the folder, go to sharing and security, then security tab, at the bottom click on advanced. Select the auditing tab, click add, select the group or users to track, then pick what actions you want to track.

    To track file deletion you would enable:

    Create files/Write data Success/Fail
    Create folders / append data Success/Fail
    Delete Subfolders/Files Success/Fail
    Delete Suceess/Fail

    Once thats done Windows will log all the information in the security event log
    LVL 7

    Expert Comment

    LVL 5

    Expert Comment

    I could find a way to tell you who was deleting the file, but then to find out who the culprit is you have to experience the problem and associated inconveniences again.  Instead, I would DENY (in advanced security settings under the permissions tab for the directory in question) to "Delete" and "Delete Subfolders and Files" to everyone except for one or two "trusted accounts" or a trusted group.  Then go into "Local Security Policy" and edit the Local Security Settings | Local Policies | Audit Policy | Audit Object Access.  Open the Audit Object Access window and set the policy to "Audit Failure Attempts" only.  This will accomplish three things:
    1) The problem will not recur unless the problem is a trusted individual
    2) When someone attempts to delete this directory in the future they will be denied access and the audit object access failures will catch it.
    3) Your logs will not fill up quickly because your only auditing failures and not successes.
    Hope this helps
    LVL 3

    Expert Comment

    as mentioned before you could do auditing, however the first port of call is to see who has permission to that file and ensure that only people who need delete ability have it. MS shadow copy might also help you with the restoring previous versions...

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now