who deleted folder?

Posted on 2011-05-03
Last Modified: 2013-12-04
Two months ago, I heard that one of our staff that was deleting some files from our network and I would like to go back to see if it's true that the particular individual did deleted it. I can g to the Security Event Log but it only logs the most recent events. So how can I go back two months ago and see it? Any suggestiions?
Question by:dcanuday
    LVL 15

    Expert Comment

    I don't think you can. What you need to do is configure Auditing of the Shared Folder or Folders. If you do not have Auditing configured then there would be no way of knowing. Refer to the link below and this will explain how to configure Auditing.
    LVL 15

    Assisted Solution

    So what you need to do is in Group Policy create a new GPO and give this GPO a discriptive name such as 'Auditing Folder Deletion'. Edit this GPO and go to > Computer Configuration > Windows Settings > Security Settings > Local Policies > Click on Audit Policy > rigth click on Audit Object Access and tick Define these policy settings and also tick Sucess and Failure.

    You can then link this GPO to the Site, Domain or OU. The next step is to enable Auditing on the folder. So close Group Policy and then in Windows Explorer or My Computer, right click on the Shared Folder, or Folder that you want to Audit and select Properties > Security > Advanced > Auditing > Add the Group you want to Audit. You can add the Everyone Group so you can Audit all users in your Domain and all other accounts that would not be apart of the Domain Users Group. The last part would be to select the entried you want to Audit such as Delete Subfolder and Files etc.

    These log files will be generated in the Windows Security Logs on the Server in Event Viewer.
    LVL 36

    Accepted Solution

    if you never enabled AUDIT and defined specific NTFS-based folders for AUDIT, you have NO way to know who deleted something.

    however, do it now, next time you may see something when required.

    HOW TO: Audit Active Directory Objects in Windows Server 2003

    hope it helps,
    LVL 27

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    This video discusses moving either the default database or any database to a new volume.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now