Server 2012 R2 audit file/folder deletion

I am running Server 2012 R2.

My goal here is to find out what file/folder and who has deleted it in my given audited folder.

Here is what i have done.
I ran GPEDIT.MSC > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object Access > Checked the box for success

Once that is in place, I went to the folder I wanted to monitor, right click and went to properties.
Clicked the security tab > Advanced > Auditing Tab > Add > then added the "Everyone" security group to the folder > Selected "Show advanced permissions" > Checked "Delete subfolders and files" and "Delete". I left the default for type: Success and applies to: "This folder, subfolders and files".

I than ran gpupdate and then preceded to delete a couple items in the audit folder. I can not find any events were I went to my folder that I just put the audit on above in the security event viewer.  Did i do something wrong... also would be nice if i knew what event ID correlated with an object being deleted. That way I can create a custom view to make life easier when I am looking.
Who is Participating?
Will SzymkowskiSenior Solution ArchitectCommented:
You do not enable auditing on the local file server, you do this on the default domain controllers policy, as a first step. From there you then continue to configure the audit policy on the files and folders you wish.

Use the link below to outline all of the necessary steps to audit file/folder changes

easyworksAuthor Commented:
That works. Just found that the event ID I need to find is 4660 + 4663.

4660 tells you that a user has deleted an object but does not tell you the file name + location.
4663 tells you that a file was attempted to be deleted. It also throws out a lot of extra events like synchronize and other junk that is not import.

So basically if I find 4660 event then look to the event right before it 4663 i will find exactly what I am looking for.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.