Check to see who deleted a folder

Someone deleted a folder off our shared system. I want to see who it is. I do have auditing turned on but when I go to the event, I only see a general description
audit.jpg
Steven HoongSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
You need to have auditing on, and you could also decide to have a product like Netwrix Auditor or ADAudit Plus. (Note: ADAudit Plus requires the file integrity add on)

These are some ways to go about it without using Powershell. However, since this is a past event, you may not be able to get the info you want with the tools I suggested.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Naveen SharmaCommented:
You can try LepideAuditor for File Server to track file and folder deletions along with you can set up an alert for delete action and every time someone deletes you'll get alerted via e-mail in real time.

Check the below article to get in detailed description of the procedure for tracking file deletions on Windows File Servers: https://www.lepide.com/how-to/track-file-deletions-and-permission-changes-on-file-servers.html
0
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
Unfortunately it looks like you don't have enough auditing enabled to determine the problem. It is not retroactive so you won't be able to find more information by fixing the problem now.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Sara TeasdaleCommented:
I agree with masnrock, you first need to turn on auditing from either local policies or domain policies and apply it to the machine you want to audit.

Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.

GPEDIT:

Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access

You can turn on success and then it would create a failure, so you dont want to monitor those events.

Here are more reference for doing this

http://www.monitorware.com/common/en/articles/audit_file_deletion.php

http://www.poweradmin.com/file-sight/

https://www.netfort.com/languardian/solutions/file-activity-monitoring/

https://www.netwrix.com/how_to_detect_who_deleted_file.html

Hope it help
1
Steven HoongSystems AdministratorAuthor Commented:
so I do have it turned on. is this incorrect?

2018-04-11-09_55_37-XenCenter.jpg
0
Yadhu GiriCommented:
Go through the article, there are other GP  you need enable, after enabling those you can install DFSR  and create a report to send a mail notification.

https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
auditing

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.