Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Get Quote

  1. To enable auditing for object access-related events

    The first step in tracking who deleted a file from your file servers is to enable auditing. Auditing allows you to tell Windows the specific set of changes you want to monitor so that only these events are recorded in the security log.

    A. Define the audit policies.

    • 1 Run gpmc.msc (Group Policy Management Console).
    • 2 Create a new GPO.
    • 3 Click Edit and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.Under Audit Policies, you'll find specific settings for Object Access.
      Object Access:
      • Audit File System > Define > Success and Failures.
      • Audit Handle Manipulation > Define > Success and Failures.
    • 4 To link the new GPO to your domain, right-click ‹your domain› ,Select Link an Existing GPO and choose the GPO that you created.
    Note:By default, Windows updates Group Policy every 90 minutes; if you want the changes to be reflected immediately, you can force a background update of all Group Policy settings by executing the following command in the Windows Command Prompt: gpupdate /force

    B. Define the system access control list (SACL).

    • 1 Go to the file share, right-click and select Properties. Under the Security tab, navigate to Advanced > Auditing, and click Add.
    • 2 This brings up another window where you'll make the following selections—Principal: Everyone; Type: All; Applies to: This folder, subfolders and files.
    • 3 Then select Advanced Permissions: Delete subfolders and files, and Delete.

    To view the events, open Event Viewer and navigate to Windows Logs › Security. Here you'll find details of all events that you've enabled auditing for. You can define the size of the security log here, and you can choose to overwrite older events so that recent events are recorded when the log is full.

    Track user logon logoff active directory
  2. Understanding event IDs associated with logon and file deletion
    • Event ID 4663 — An Attempt Was Made To Access An Object

      Event ID 4663 shows that a specific operation was performed on an object. The object could be a file system, kernel, registry object, or file system object on removable media or a device. Learn more

    • Event ID 4660 — An Object Was Deleted

      Event ID 4660 is generated when an object is deleted. The object could be a file system, kernel, or registry object. This event does not contain the name of the deleted object. Learn more

    Common identifiers required to tie these events together are matching Process IDs and Handle IDs on both event ID 4663 and 4660. This will help identify the object that was deleted from details in event 4663.

  3. Limitations of native auditing tools
    • There's no central repository for all change audit logs. File and folder activity logs are only recorded in the security log of individual computers (workstations or Windows servers).
    • There's a size limit for Windows security logs, which can be an major issue for security.
    • Windows doesn't offer event reporting, and with poor search filters, this makes root cause analysis a challenge.
    • The lack of a robust real-time incident notification and threat response system is a severe limitation.
  4. An easier way to detect who deleted a file from your file servers

    A tool like ADAudit Plus audits Windows file servers, failover clusters, NetApp, and EMC storage devices to document changes to files and folders. It also helps monitor system configurations, program files, and folder changes to ensure file integrity across your network.

    With ADAudit Plus, you can instantly view reports on:

    • Files read.
    • File write actions.
    • Files modified.
    • Files created, deleted, moved, renamed, and copied and pasted.
    • Permission changes.
    • Synology and Hitachi
    • Failed access attempts, and more.

This information is provided on an easy-to-understand web interface that displays statistical information through charts, graphs, and a list view of canned and customized reports.



Instantly view in-depth graphs and reports on all Windows servers with ADAudit Plus.

File server access reports
   File server access reports
Active directory audit logon failure
 
ADAudit Plus is a web-based, real-time Active Directory change auditing tool that helps you,

To learn more about how ADAudit Plus can help you with all your Active Directory auditing needs,
please visit: https://www.manageengine.com/products/active-directory-audit

ADAudit Plus Trusted By