question

LoAlbert-3470 avatar image
0 Votes"
LoAlbert-3470 asked ElevenYu-MSFT answered

some files in Windows Server were deleted and wanted to start investigation_any logs could be found from Window server or workstation

Our office is using Windows Server 2016 Standard for data sharing purpose to 17 staffs in office and each staff is able to connect to Windows Server for retrieving and storing files / data.

We received a complaint from one of our staff that some files / data which she stored in folder on data server were deleted. Actually those files were saved in data server on 10 November at around 6:00 pm from her workstation. When the staff returned to office on 11 Nov, at around 09:15 am and found that all files were deleted. This is a very serious incident !

I am going to investigate this incident and would like to know if Windows Servers recorded this event in the logs so that I can find out whose the one to delete these files form Windows server. How can I retrieve this logs from Windows Servers or staffs workstation ? Please advise. Thank you.

windows-server-2016
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

DSPatrick avatar image
0 Votes"
DSPatrick answered

You can follow along here to setup some file auditing.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder

--please don't forget to Accept as answer if the reply is helpful--





5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ElevenYu-MSFT avatar image
0 Votes"
ElevenYu-MSFT answered

Hi,

You can refer to below articles for detailed steps to enable audit policy for tracking file/folder creation and deletion in Windows.

https://www.manageengine.com/products/active-directory-audit/how-to/track-file-and-folder-creation-deletion-in-windows.html
https://www.lepide.com/how-to/track-file-deletions-and-permission-changes-on-file-servers.html

Thanks,
Eleven

If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.