Raj KAJ (scottobear) wrote,

How to detect who deleted a file from your file server

  • Configure File System Auditing: Navigate to the required file share, right-click it and select “Properties” Select the “Security” tab → “Advanced” button → “Auditing” tab → Click “Add” button: Select Principal: “Everyone”; Select Type: “All”; Select Applies to: “This folder, subfolders and files”; Select the following “Advanced Permissions”: “Delete subfolders and files” and “Delete”.
  • Configure Audit Policy: Run gpedit.msc, edit “Default Domain Policy” → Computer Configuration → Policies → Windows Settings → Security Settings → Go to Local Policies → Audit Policy: Audit object access → Define → Success and Failures.
  • Configure Advanced Audit Policy: Go to “Advanced Audit Policy Configuration” → Audit Policies → Object Access: Audit File System → Define → Success and Failures Audit Handle Manipulation → Define → Success and Failures.
  • Configure Event Log Size: Go to Event Log → Define: Maximum security log size to 4gb. Retention method for security log to Overwrite events as needed.
  • Check Security log: Open Event viewer and search Security log for event id 4656 with “File System” or “Removable Storage” task category and with ”Accesses: DELETE” string. ”Subject: Security ID” will show you who has deleted a file.
  • Use case video: http://www.youtube.com/watch?v=sfLzqGk57vk

Originally published at The Scotto Grotto. You can comment here or there.

Tags: code, tech support, uncategorized
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.