Est. Reading Time: 4 minutes
When important files and folders turn up missing, in addition to restoring the data, typically users want to know what happened to them. Very often files and folder can be found in a surrounding folders due to an accidental drag and drop however in other cases someone actually deleted their files and folders. When this happens the owner probably wants to know “WHO DID IT?”
Unfortunately, in a Windows Server environment, file auditing is not turned on by default. Therefor when faced with a request to identify who deleted the data, you are left with no other choice but to say the dreaded phrase that no system administrator ever wants to utter “I don’t know…” That is not something your users and especially not your business owners ever want to hear.
That said, be proactive and enable auditing. It’s pretty quick and simple and I will go through this using traditional auditing methods (rather than the advanced auditing policy configuration which I may cover in a future post). Here is what you will need to do.
First we need to enable auditing of files and folders on the server. I recommend doing this in a GPO for consistency and visibility however for non-domain servers this can be done via the local policy (secpol.msc).
Locate a GPO that is linked to an OU your server is in or create a new GPO and link. In our case, we want to audit the file system on our domain controllers so I am using the “Default Domain Controllers Policy”.
Navigate to Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Audit Policy and enable “Audit object access – Success”.
Note: In the Local Security Policy it can be found in Security Settings>Local Policies>Audit Policy
Run a gpupdate /force on the server once the policy has been configured.
Next, identify the files/folders you would like to audit. In this case we are going to enable auditing on the entire E drive of our DCs. From a Windows Explorer window, go to Properties of the file, folder or drive and select Security>Advanced>Auditing and click Edit.
From the Auditing tab, click add and enter the users or groups you want to audit. In our case, we want to audit ‘Everyone’. Once you click OK you will be prompted to select what you would like to audit. In this case, we are only going to audit ‘Delete subfolders and files’ and ‘Delete’ and, since we are only concerned if someone successfully deletes a file or folder, we only need to place checks in the Successful column of the two items.
Because you are changing the security, if applying this on a folder or drive, once your click OK it will run through all of the files and folders setting the security information. Depending on the size of your folders or drives this could take a considerable amount of time.
Once completed you should expect to see events 4663 and 4660 in 2008 and above (560 and 564 in legacy systems i believe) in the Security of the Windows Logs when files and folders are deleted on the audited folder or drive. Below are a couple examples.
Also note, depending on how often files/folders are deleted, this could result in an extended amount of logging. Unless absolutely necessary, strongly consider minimizing which users and which folders are being audited instead of using ‘Everyone’ on an entire drive as we have done in this example.
Also, since this will add additional entries in your Security log, I suggest reviewing the Maximum log size and increasing as necessary. Go to Properties of the Security log to increase the maximum log size.
That’s it. For more information regarding group policy and/or auditing see Microsoft TechNet. Happy Auditing!