Is it possible for IT administrators to find who deleted files/folders when there numerous file servers there in the organization? Yes. This is possible by enabling object access auditing and then configuring the specific files/folders for auditing. Administrators, thereafter, can easily note the deletion events on Windows security logs. Similarly, they can track permission changes too. The major steps involved are (detailed steps are given for Windows Server OS):
1) Enable ‘Audit Object Access’ using the Local Computer Policy
2) Configure the files and folders that are to be audited at the system level
3) Check for the deletion/permission change events in Windows Security logs using the event viewer
Step 1: To enable object access auditing, go to Start>All Programs>Administrative Tools, and click Local Security Policy
Step 2: Expand Local Policies, select Audit Policy, and double-click Audit object access
Step 3: Click Success under Audit these attempts (if you want to track failed attempts, click Failure too); click Apply
Step 4: Now, in the Windows explorer select file/folder for whose deletions and permission changes are to be tracked; right-click on it and select Properties
Step 5: In the Properties window, go to Security tab and click Advanced
Step 6: In the Advanced Security Settings window, go to the Auditing tab. It will display existing auditing entries (if there are any). To add a new entry, click Edit
Step 7: To add new users whose deletion/permission change actions should be tracked, click Add
Step 8: It is suggested that you add Everyone so that file deletions and permission changes by all users can be tracked
Step 9: Now under Successful check the required accesses—Delete subfolders and files, Delete, and Change permissions
Step 10: The newly created auditing entry gets listed under the Auditing tab. From now onwards, the deletions and permission changes on the file/folder will be recorded in the Windows security logs
Step 11: Now, open Windows Event viewer and go to Windows Logs > Security. Use the Filter Current Log option to find events having IDs 4660 (file/folder deletions) or events having IDs 4670 (permission changes)
It is possible for organizations to track deletions of important files and folders on their file servers. Also, it is possible to track permission changes on various file server objects. This is facilitated by enabling object access auditing and then configuring the files and folders for auditing. Thereafter all events related to deletions and permissions will be recorded in the event logs of Windows operating system.