3

I need to enable auditing of delete actions on a specific network shared folder (and all its children) on a Windows Server 2008 r2 machine. The closest I could find was this article - http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/ but it relates to 2003.

In the comments one person notes that the EventID's 560 and 564 are not relevant to Win 2003. They suggest that a delete on Win 2008 is EventID 4656 but I don't find any of these events in my security log. I enabled auditing on the folder via security tab option after right clicking on the folder. Another comment in the quoted link suggests that auditing must be enabled both on the local file system and the server, and also that group policies could overwrite any local policies.

I tried to enable auditing in the Local Security Policies under Local Policies\Audit Policy\Audit object access but it seems to be removed every time I close the policy console. I am a local admin on the server but not a domain admin and a bit stuck at this point. Any pointers will be mostly appreciated.

Neville
  • 133
  • 1
  • 1
  • 5

3 Answers3

2

Enable Active Directory Recycle Bin on that share and after you Audit delete change in your Active Directory. (Active Directory Recycle Bin Step-by-Step Guide)

Using the auditing mechanism

In Windows Server 2008 R2, as in Windows Server 2008, you can use the Active Directory Domain Services (AD DS) auditing mechanism with the Directory Service Changes audit policy to log old and new values when changes are made to Active Directory objects and their attributes. We recommend that you implement auditing in your Active Directory environment to track all object deletions, object deletion times, and the account names that perform these object deletions. For more information, see the AD DS Auditing Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=125458).

From; Appendix A: Additional Active Directory Recycle Bin Tasks

nb, You need to be more than a local admin for that solution.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
2

First configure audit object access in the AD Group Policy or on the server local GPO. Setting is under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing for "Audit object access."

After that configure an audit entry on the specific folder that you wish to audit. Right-click on the folder-->Properties-->Advanced. From the auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file, or you can just audit for Delete operations.

After doing these steps, any file deletions will show up in the Security log of the file server: https://technet.microsoft.com/en-us/library/dd772690%28WS.10%29.aspx

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Mac Carter
  • 11
  • 2
2

I know this is an old question, but I had this same question and never found an answer so hopefully this helps someone else. I ended up finding the delete event with Event ID: 4663. Here's an example:

An attempt was made to access an object.

Subject:
    Security ID:        xxx\administrator
    Account Name:       administrator
    Account Domain:     xxx
    Logon ID:       0x64ba61

Object:
    Object Server:  Security
    Object Type:    File
    Object Name:    D:\xxx\New folder
    Handle ID:  0xca8

Process Information:
    Process ID: 0xc80
    Process Name:   C:\Windows\explorer.exe

Access Request Information:
    Accesses:   DELETE

    Access Mask:    0x10000
TheDavidFactor
  • 121
  • 4