How to Detect Who Deleted a File from Your Windows File Servers


Native Auditing vs. Netwrix Auditor for Windows File Servers

Native Auditing Netwrix Auditor for Windows File Servers
Steps
  1. Navigate to the file share, right-click it and select "Properties" Select the "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button:
    •    Select Principal: "Everyone"; Select Type: "All"; Select Applies to: "This folder, subfolders and files"; Select the following "Advanced Permissions": "Delete subfolders and files" and "Delete".
  2. Run gpedit.msc, create and edit new GPO → Computer Configuration → Policies → Windows Settings → Security Settings → Go to Local Policies → Audit Policy:
    •    Audit object access → Define → Success and Failures.
  3. Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:
    •    Audit File System → Define → Success and Failures
    •    Audit Handle Manipulation → Define → Success and Failures.
  4. Link new GPO to File Server and force the group policy update.
  5. Open Event viewer and search Security log for event ID 4656 with "File System" or "Removable Storage" task category and with "Accesses: DELETE" string. "Subject: Security ID" will show you who has deleted a file.

Report sample: 

 

  1. Run Netwrix Auditor → Navigate to “Reports” → Files Servers → select “File Servers Activity” → Files and Folders Deleted → Click “View”.
  2. In order to save a file, click the "Export" button → Select Excel format → Save as → Choose a location to save it.

Report sample:

Regularly Review File and Folder Deletions to Prevent Data Loss in a Timely Manner

If a file on your server is deleted maliciously or by mistake, it can lead to losses of sensitive data and the inability of users to access the information they are intended to use, both of which may result in additional troubles for IT staff. 

Join the discussion