I have a setup consisting of a Server 2016 and Windows 10 client, on the server, there is a file share I have configured with auditing and I am using the client to access the file share remotely.
The GPO I am using has Audit Object Access and Audit File system enabled and for the auditing, I configured Everyone with delete and delete subfolders and files.
When I delete a folder I get 4660 (An object was deleted) which is what I expected but when I delete a file I get 4659 (A handle to an object was requested with intent to delete) but no 4660. Is this supposed to be correct, does deleting a file and folder generate different event IDs? Does 4659 represent file deletion or just an attempt of file deletion?
If this is correct, is there a possible way for both events (file or folder deletion) to have same event IDs so I can make auditing easier.



