How to find out & set policy in Window Server 2016. To search in security event viewer for users accidentally delete shared network folder?

Question

I am trying to set GPO so that I can search user in event viewer who accidentally deleted the share drive in the network.

What other event IDs list can I search so that I know which category it belongs to?

Example 4624 = logon

I had tried the below steps however, when i do a search filter, it did not shows the deleted item Event ID#4663, instead it shows others access.

Keep in mind that you first need to set an audit policy. There is also an tool which can do this AD Audit Plus. woshub.com/tracking-files-deletion-using-audit-policy-and-mssql — Ace
– Ace, Commented Oct 11, 2022 at 0:07

Ace · Accepted Answer · 2022-09-24 01:11:35Z

You first need to

Enable File and Folder Access Auditing Policy
Now you need to configure auditing in the properties of the share network folder you want to track
Now, if the user deletes any file or folder in the shared network folder, the File System -> Audit Success file delete event appears in the Security log with Event ID 4663 from the Microsoft Windows security auditing source. Open the Event Viewer mmc console (eventvwr.msc), expand the Windows Logs -> Security section. Enable event log filter by the EventID 4663.

Lucky Luke · Accepted Answer · 2022-09-25 11:07:59Z

This link has all the information you need to enable auditing:

This site will also give you more information on other events, such as 4624.

I hope you understand that you cannot enable auditing retroactively, so this will of course only work for future activity/events.

2 Answers 2