This tutorial will show you how to audit who deleted a file on a computer running Windows.

Our tutorial will teach you all the steps required to enable the object audit feature on a computer running Windows 2012.

• The domain controller is running Windows 2012 R2.

• The domain computers are running Windows 7 and Windows 10.

Hardware List:

The following section presents the list of equipment used to create this Windows tutorial.

Every piece of hardware listed above can be found at Amazon website.

Windows Playlist:

On this page, we offer quick access to a list of videos related to Windows.

Don't forget to subscribe to our youtube channel named FKIT.

Windows Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Windows.

Tutorial - Configure the Object Audit GPO

First, we need to enable the object audit feature for the entire domain.

The following tasks were executed on a domain controller running Windows 2012 R2 with Active directory.

Click on the Start menu, locate and open the Group Policy Management tool.

Windows 2012 - Group Policy Management

On the Group Policy Management screen, locate the folder named Group Policy Objects.

Right-click the Group Policy Object named Default Domain Policy and select the Edit option.

Default Domain Policy

On the group policy editor screen, you will be presented to User configurations and Computer configurations.

We will change only the Computer configurations.

We don't need to change any User configuration.

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

•  Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy

GPO Audit Policy

On the right, the list of available configuration options will be presented.

Windows 2012 audit deleted objects

Double click the configuration item named: Audit Object Access.

Enable the following security settings:

• Define these policy settings
• Success
• Failure

Audit Object Access Properties

To finish the group policy creation you need to close the Group policy editor window.

Only when you close the group policy window, the system will save your configuration.

Tutorial - Enable the Object Audit GPO

Now, we need to enable the object audit feature on the desired files and folders.

In our example, we are going to enable the object audit on a folder named TECHEXPERT.

First, create a folder named TECHEXPERT.

Second, right click on the folder and select the Properties option.

Windows Object Audit folder

On the Properties screen, access the Security tab and click on the Advanced button.

Windows audit deleted files- Security advanced

On the Advanced Security Settings screen, access the Auditing tab and click on the Add button.

Windows object add auditing

On the new screen, click on the Select a principal option.

Auditing entry file object

Enter the group named Everyone and click on the Ok button.

Add group everyone

Perform the following configuration:

•  Type - All

• Applies to - This folder, subfolders, and files

Audit deleted files windows

On the Advanced permissions area, click on the Show advanced permissions option.

On the Advanced Permission area, enable only the following options:

• Delete subfolders and files.
• Delete.

Windows audit deleted file and folders

Click on the Ok button to close the Windows.

Click on the Ok button.

Click on the Ok button.

Reboot the computer to enable the Object audit group policy.

In our example, we enabled the object audit to a folder named TECHEXPERT.

You have finished the required object audit configuration.

Tutorial - Who deleted my file?

You have finished the creation of the GPO.

But, you still need to learn how to discover who deleted your files.

In our example, we are going to show you all the steps requires to detect who deleted your files.

First, let's create a text file named TEST.TXT inside the TECHEXPERT folder.

Windows audit deleted file

Now, delete the TEST.TXT file.

Open the Windows Event Viewer application.

On the Event Viewer screen, expand the Windows Logs and select the Security option.

Event Viewer

Right click on the Security log and select the Find option.

Enter the name of the deleted file and click on the Find button.

Windows log find deleted files

You will find an event viewer ID 4663 with the details of the deleted file.

Windows who deleted my file

In our example, we detected that the TEST.TXT file was deleted by the Administrator.