This tutorial will show you how to audit who deleted a file on a computer running Windows.
Our tutorial will teach you all the steps required to enable the object audit feature on a computer running Windows 2012.
• The domain controller is running Windows 2012 R2.
• The domain computers are running Windows 7 and Windows 10.
Hardware List:
The following section presents the list of equipment used to create this Windows tutorial.
Every piece of hardware listed above can be found at Amazon website.
Windows Playlist:
On this page, we offer quick access to a list of videos related to Windows.
Don't forget to subscribe to our youtube channel named FKIT.
Windows Related Tutorial:
On this page, we offer quick access to a list of tutorials related to Windows.
Tutorial - Configure the Object Audit GPO
First, we need to enable the object audit feature for the entire domain.
The following tasks were executed on a domain controller running Windows 2012 R2 with Active directory.
Click on the Start menu, locate and open the Group Policy Management tool.
On the Group Policy Management screen, locate the folder named Group Policy Objects.
Right-click the Group Policy Object named Default Domain Policy and select the Edit option.
On the group policy editor screen, you will be presented to User configurations and Computer configurations.
We will change only the Computer configurations.
We don't need to change any User configuration.
On the group policy editor screen, expand the Computer configuration folder and locate the following item.
• Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
On the right, the list of available configuration options will be presented.
Double click the configuration item named: Audit Object Access.
Enable the following security settings:
• Define these policy settings
• Success
• Failure
To finish the group policy creation you need to close the Group policy editor window.
Only when you close the group policy window, the system will save your configuration.
Tutorial - Enable the Object Audit GPO
Now, we need to enable the object audit feature on the desired files and folders.
In our example, we are going to enable the object audit on a folder named TECHEXPERT.
First, create a folder named TECHEXPERT.
Second, right click on the folder and select the Properties option.
On the Properties screen, access the Security tab and click on the Advanced button.
On the Advanced Security Settings screen, access the Auditing tab and click on the Add button.
On the new screen, click on the Select a principal option.
Enter the group named Everyone and click on the Ok button.
Perform the following configuration:
• Type - All
• Applies to - This folder, subfolders, and files
On the Advanced permissions area, click on the Show advanced permissions option.
On the Advanced Permission area, enable only the following options:
• Delete subfolders and files.
• Delete.
Click on the Ok button to close the Windows.
Click on the Ok button.
Click on the Ok button.
Reboot the computer to enable the Object audit group policy.
In our example, we enabled the object audit to a folder named TECHEXPERT.
You have finished the required object audit configuration.
Tutorial - Who deleted my file?
You have finished the creation of the GPO.
But, you still need to learn how to discover who deleted your files.
In our example, we are going to show you all the steps requires to detect who deleted your files.
First, let's create a text file named TEST.TXT inside the TECHEXPERT folder.
Now, delete the TEST.TXT file.
Open the Windows Event Viewer application.
On the Event Viewer screen, expand the Windows Logs and select the Security option.
Right click on the Security log and select the Find option.
Enter the name of the deleted file and click on the Find button.
You will find an event viewer ID 4663 with the details of the deleted file.
In our example, we detected that the TEST.TXT file was deleted by the Administrator.
