Windows – How to Find out who deleted files windows server 2012 R2

filesystemslog-fileswindowswindows-server-2012-r2

I have windows server 2012 R2 Essentials installed in my local to use it as a file sharing server for local usage. I have created users with windows server essentials dashboard and also created server folders with the same. Recently some one tried delete/cut an entire folder and as a result like 90% of the folder is gone and some sub folders and files are in partial deleted state. is there a way to find out which domain user did that ?

as a precaution I did change the folder permissions now, so that domain users cant delete a folder

Best Answer

Not unless proper auditing was configured beforehand.

For the system:
Advanced Audit Policy, Object Access, Audit File System (Success and Failure)

For the directory:
Advanced Security Settings, Auditing, Everyone - Delete (All)

With those configured, you'd see Event ID 4660 An object was deleted and Event ID 4663 in the Security Log:

An attempt was made to access an object.
  Subject:
    Security ID:        DOMAIN\USER
  Object:
    Object Name:        C:\share\one
  Access Request Information:
    Accesses:       DELETE
Related Topic