How to Audit manipulation with files and folders on Windows File Server

Short guide How to audit manipulation with files and folders on Windows File Server.

1. First thing first you must configure Security policy to enable Auditing on machine:

Select only one of 2 following ways:

  • Modern Granular way (2008+) – Advanced Audit Policy Configuration
    • INFO: This will disable configuration of Old way through Object Access Audit Policy (2003) because this is more granular auditing and can’t be used 2 ways at once. This policy will not work if you have configured old way of policy by Domain GPO which has higher priority than local policy.
    • Run > secpol.msc
    • Advanced Audit Policy Configuration > System Audit Policies > Object Access
      • Audit File System – Success
      • Audit Handle Manipulation – Success

  • Old way through Object Access Audit Policy (2003)
    • INFO: Use this policy only if you use 2003 Server edition because this policy generates more events than you need.
    • Run > secpol.msc
    • Local Policies > Audit Policy
      • Audit object access – Success


2. Then you can set Auditing on random folder in NTFS Advanced permissions:

  1. Right click on folder > Properties > Security
  2. Select Advanced > Auditing > Add
  3. Select object which you want audit – It can be specific user, group, computer. In most cases you will select Everyone because you want to audit everybody (does not matter if it’s domain or local everyone group) > OK
  4. Select auditing which fits your needs. Less is better to avoid huge amount of audited actions. If you want to audit just removed/moved files and folders, check Successful – Delete subfolder and files, Delete.


Last important thing is extend Security log file size:

  1. Run > eventvwr.msc
  2. Expand Windows Logs > Right click on Security > Properties
  3. Modify Maximum log size (KB) to fit your needs – I recommend at least 2GB (2048000 KB) > OK

Investigation who removed or moved file/folder:

  • Open Security log and look for Event ID: 4660,4656. Where 4660 is notification who deleted object and at the same time 4656 handle request where is object saved. (Appliest to 2008+)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.