Enabling Audit for delete action
- Open gpedit.msc
Computer Configuration -> Windows Settings -> Security Settings -> Local policies -> Audit policy -> Audit object access- Enable success audit
- Run
gpupdate /forceto apply the policy
Adding the audit rule to the folder
Now for the folder you want to audit
1. Right click and go to properties
2. security tab -> Advanced -> Auditing Tab -> Edit -> Add
3. Add the user that has access to the folder.
4. Click advanced → check “Delete Folders and Subfolder files” and “Delete”
5. Click OK
6. Now check Replace all child object auditing entries with inheritable auditing entries from this object
7. Click OK
View logged events
- Open Event Viewer
- Create custom view with event ids 4660 and 4663. (needs to be created only once)
- Find action to find events related to the folder path.