Tuesday, 24 March 2015

Microsoft: How to Track who Deleted File / Folder from Windows Server

You first will need to turn on auditing, from either local policies, or domain policies and apply it to the machine you want to audit. Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.

GPEDIT:
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access

You can turn on success, because if they do not have access to delete things then it would create a failure, so you do not want to monitor those events.

Once that is in place, go to the folder you want to monitor, right click and go to properties. Click the security tab --> Advanced --> Auditing Tab --> Edit --> Add --> then add the group that has access to that folder --> Select the events you want to audit and click OK --> Select Replace all existing inheritable audit entries, to apply the audit on all sub folders and files and click OK.

You are now auditing that folder. You will need to monitor the event logs for the particular events.

No comments:

Post a Comment