Enable File/Folder Delete Auditing in Windows Servers

Enable File/Folder Delete Auditing in Windows Servers

Step 1 — Enable Audit Policy

Open:

  • Run → secpol.msc

Go to:

  • Security Settings → Local Policies → Audit Policy

Open:

  • Audit object access

Enable:

  • ✅ Success
  • ✅ Failure

Click
Apply → OK

Method 2 (Advanced Audit Policy)

Open:

  • Run → gpedit.msc

Go to:

  • Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access

Enable:

  • Audit File System → Success + Failure

    Step 2 — Apply Auditing on the Folder

    Right-click the folder you want to monitor:

    • Properties → Security → Advanced → Auditing → Add

    Configure:

    Principal

    • Everyone
      (or specific users/groups)

    Type

    • Success

    Applies to

    • This folder, subfolders and files

    Step 3 — Select Permissions to Audit

    Click Show advanced permissions and enable:

    Required

    • ✅ Delete
    • ✅ Delete subfolders and files

    Optional (Helpful)

    • ✅ Write attributes
    • ✅ Create files / write data
    • ✅ Write extended attributes

    Click
    OK → Apply

    Step 4 — Refresh Group Policy

    Open Command Prompt as Administrator and run:

    gpupdate /force

    (Optional but recommended)

    How to Check Deletion Logs

    Open:

    • Run → eventvwr.msc

    Go to:

    • Windows Logs → Security

    Important Event IDs

    Event IDMeaning
    4663File access/delete attempt
    4660Object deleted
    4656Handle request to object

    Most Useful Event

    Event ID 4663

    Look for:

    • Account Name → user who deleted the file
    • Object Name → full file/folder path
    • AccessesDELETE
    • Time Created → deletion timestamp

    Important Notes

    • Auditing only works after it is enabled.
    • Existing deleted files before configuration will not appear.
    • Excessive auditing on large/shared folders can generate many logs.
    • If logs are not appearing:
      • Restart the machine
      • Re-run gpupdate /force
      • Verify NTFS permissions exist on the folder

    Quick Verification Test

    1. Create a test file in the monitored folder
    2. Delete it
    3. Open Event Viewer
    4. Search for Event ID 4663
    5. Confirm:
      • Username
      • File path
      • DELETE access

    This confirms auditing is working correctly.

    • Related Articles

    • Generate login Icon

      How to Generate Icon for Login Open TSPlus (There is a common password to open the software) [ 0135790 ] Then go to Sessions and Client Generator In General Give Server Address or Domain name then give the Port Preferred display mode select Remote ...

    • Printer Issue

      PRINTER ISSUE To help resolve the issue where the client is unable to print on the server, you can follow these steps in a clear and organized manner: 1.Check Print Queue: Open the Queue for the printer and check if there are any pending print jobs. ...