File & Folder Security Auditing on domain workstations

below official guide gives the detailed instruction. basically five steps are required:

1. enable auditing on the DC.

2. select the object (specific folder) to audit and set the SACL (successful deletion).

3. configure the event log.

4. protect the audit data.

5. review the audit logs.

Configuring Audit Policies
http://technet.microsoft.com/library/dd277403.aspx

Another FYI, the folder we want to audit are only present on the domain workstations and not on the DC's.  Specifically, it is a "bin" folder for our companies installed software and the root problem which is making this auditing a necessity is that frequently as of late, certain software patch files are being deleted or over-written by a yet undetermined process and we are trying to get to the bottom of it so we can address the root cause and resolve it.  One of our concerns is that we do not want to cripple the network by having any file and folder auditing other than this specific folder and sub-folder and files turned on and then only "Deletion Success Events" of the folder and its sub-folders and files.  Sorry for being so repetitive and redundant but in my experience it is always a good thing to err on the side of caution.

https://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx#BKMK_step2 is the very link. It describes anything you need.

The process monitor is the best solution for the moment.  I'm taking that advice but going further in working to run it as a service with a custom filter created to watch ONLY the files we are interested in tracking changes and deletions on.  Thanks Bing CISM / CISSP

Procmon is not really suitable in my opinion. It is not meant for long time logging. The logs it produces are huge, it slows down the system a lot. Can you tell me why you would not use auditing functions that are built-in (those that I linked)?

McKnife,  Normally I would agree but in this case it is a bit difficult to stick to the accepted "norm" which would be to do just what you suggest and use group policy to set an audit policy to apply to a specific OU to push out to all domain computers which I want to track these changes on.  However, first problem is that I only want to track deletions within a certain directory and "ONLY" that directory.  My company is contracted to the entity whose network these computers reside upon.  We have software and hardware installed to their computers which perform a vital function to them.  For months now, some process keeps either deleting critical files within our software and we are trying to come up with the best possible solution to track what exactly is deleting the key files or in some cases over-writing certain files with older versions.  Since we share hardware and software you can imagine that there is a certain degree of finger pointing.  I'm working to remove finger pointing from the equation by tracking and discovering "exactly" what is making these changes and eliminate the root cause.  If there is a way through group policy on the DC to create a policy that is granular enough to audit only the directory we want to watch without also being forced to audit the entire hard drive on every single domain computer, this is what I am after here.  Thus far, I've not found a way other than "Local Computer Policy" that will achieve this but in our situation it is just unreasonable to edit each and every computer on the domain to make these piece-meal changes.  I agree that ProcMon is not the golden bullet either but in answer to your comment about the log files being too large and it slowing the computers down, this is true if you don't have a custom config to track only the few items we want to track.  By default, Procmon tracks everything.  I created a custom filter that instructs it to only log file deletions (if they happen) within the one directory that contains the files for our software program.  Ideally I would rather use group policy but I don't want to blanket audit the entire hard drive for all domain computers with our software as that would also create large log files and slow down their computers, even if we tell group policy to only audit deletion success events.

Also, this will not be long term logging.  We only want to put this process in place long enough to find out what is deleting/changing our files.  Once we have identified the culprit and resolved the issue, we will remove the procmon or group policy auditing.  I'm all ears if you have a better solution because I've been researching for days and haven't been able to find the right solution for this situation.

We are also limited in that we can't install anything on the companies computers.  Our solution must be as low impact as possible and easy to implement and later, easy to remove once we no longer need it in place.

Respectfully,
TNTech71

"If there is a way through group policy on the DC to create a policy that is granular enough to audit only the directory we want to watch without also being forced to audit the entire hard drive on every single domain computer, this is what I am after here." - I know, that's why I recommended what I did.