- Navigate to the file share, right-click it and select "Properties" Select the "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button:
- • Select Principal: "Everyone"; Select Type: "All"; Select Applies to: "This folder, subfolders and files"; Select the following "Advanced Permissions": "Delete subfolders and files" and "Delete".
- Run gpedit.msc, create and edit new GPO → Computer Configuration → Policies → Windows Settings → Security Settings → Go to Local Policies → Audit Policy:
• Audit object access → Define → Success and Failures. - Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:
• Audit File System → Define → Success and Failures
• Audit Handle Manipulation → Define → Success and Failures. - Link new GPO to File Server and force the group policy update.
- Open Event viewer and search Security log for event ID 4656 with "File System" or "Removable Storage" task category and with "Accesses: DELETE" string. "Subject: Security ID" will show you who has deleted a file.
Report sample:
No comments:
Post a Comment