I need to enable auditing of delete actions on a specific network shared folder (and all its children) on a Windows Server 2008 r2 machine. The closest I could find was this article – http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/ but it relates to 2003.
In the comments one person notes that the EventID's 560 and 564 are not relevant to Win 2003. They suggest that a delete on Win 2008 is EventID 4656 but I don't find any of these events in my security log. I enabled auditing on the folder via security tab option after right clicking on the folder. Another comment in the quoted link suggests that auditing must be enabled both on the local file system and the server, and also that group policies could overwrite any local policies.
I tried to enable auditing in the Local Security Policies under Local Policies\Audit Policy\Audit object access but it seems to be removed every time I close the policy console. I am a local admin on the server but not a domain admin and a bit stuck at this point. Any pointers will be mostly appreciated.
Best Answer
Enable Active Directory Recycle Bin on that share and after you Audit delete change in your Active Directory. (Active Directory Recycle Bin Step-by-Step Guide)
From; Appendix A: Additional Active Directory Recycle Bin Tasks
nb, You need to be more than a local admin for that solution.