Setup file delete audit on Windows Server 2019

Quick notes:

gpedit.msc

Computer Configuration / Windows Settings / Security Settings / Advanced Audit Policy / Object Access

Set “Audit File System” to enabled and on Success

 

Go to folder to watch, right-click on the folder, Properties / Security Tab / Advanced / Auditing Tab

Add the following:

Principal: Everyone

Type: All

Applies to: This folder, subfolders and files

“Show advanced permissions” and choose “Delete subfolders and files”, “Delete”

Click OK, OK, and OK again.

 

Create a text file in the directory you just setup to be audited and then delete the file

 

Open Event Viewer, go to Security and look for “File System” events.  Specifically, ID 4660 should be a delete event.

Comments are closed.