Short guide How to audit manipulation with files and folders on Windows File Server.
First thing first you must enable Object Access policy to fit your needs:
- Run > secpol.msc
- Local Policies > Audit Policy > Audit object access
- Check Success
Then you can set Auditing on random folder in NTFS Advanced permissions:
- Right click on folder > Properties > Security
- Select Advanced > Auditing > Add
- Select object which you want audit – It can be specific user, group, computer. In most cases you will select Everyone because you want to audit everybody (does not matter if it’s domain or local everyone group) > OK
- Select auditing which fits your needs. Less is better to avoid huge amount of audited actions. If you want to audit just removed/moved files and folders, check Successful – Delete subfolder and files, Delete.
Last important thing is extend Security log file size:
- Run > eventvwr.msc
- Expand Windows Logs > Right click on Security > Properties
- Modify Maximum log size (KB) to fit your needs – I recommend at least 2GB (2048000 KB) > OK
Investigation who removed or moved file/folder:
- Open Security log and look for Event ID: 4660,4656. Where 4660 is notification who deleted object and at the same time 4656 handle request where is object saved. (Appliest to 2008+)