Server 2012 R2 audit file/folder deletion

I am running Server 2012 R2.

My goal here is to find out what file/folder and who has deleted it in my given audited folder.

Here is what i have done.
I ran GPEDIT.MSC > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object Access > Checked the box for success

Once that is in place, I went to the folder I wanted to monitor, right click and went to properties.
Clicked the security tab > Advanced > Auditing Tab > Add > then added the "Everyone" security group to the folder > Selected "Show advanced permissions" > Checked "Delete subfolders and files" and "Delete". I left the default for type: Success and applies to: "This folder, subfolders and files".

I than ran gpupdate and then preceded to delete a couple items in the audit folder. I can not find any events were I went to my folder that I just put the audit on above in the security event viewer.  Did i do something wrong... also would be nice if i knew what event ID correlated with an object being deleted. That way I can create a custom view to make life easier when I am looking.
LVL 1
easyworksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
You do not enable auditing on the local file server, you do this on the default domain controllers policy, as a first step. From there you then continue to configure the audit policy on the files and folders you wish.

Use the link below to outline all of the necessary steps to audit file/folder changes
https://technet.microsoft.com/en-ca/library/dd277403.aspx

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
easyworksAuthor Commented:
That works. Just found that the event ID I need to find is 4660 + 4663.

4660 tells you that a user has deleted an object but does not tell you the file name + location.
4663 tells you that a file was attempted to be deleted. It also throws out a lot of extra events like synchronize and other junk that is not import.

So basically if I find 4660 event then look to the event right before it 4663 i will find exactly what I am looking for.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.