开启文件删除审核日志

1. Navigate to the file share, right-click it and select “Properties” Select the “Security” tab → “Advanced” button → “Auditing” tab → Click “Add” button:

• Select Principal: “Everyone”; Select Type: “All”; Select Applies to: “This folder, subfolders and files”;
• Select the following “Advanced Permissions”: “Delete subfolders and files” and “Delete”.

1. Run gpedit.msc, create and edit new GPO → Computer Configuration → Policies → Windows Settings → Security Settings → Go to Local Policies → Audit Policy:

• Audit object access → Define → Success and Failures.

1. Go to “Advanced Audit Policy Configuration” → Audit Policies → Object Access:

• Audit File System → Define → Success and Failures
• Audit Handle Manipulation → Define → Success and Failures.

1. Link new GPO to File Server and force the group policy update.
2. Open Event viewer and search Security log for event ID 4656 with “File System” or “Removable Storage” task category and with “Accesses: DELETE” string. “Subject: Security ID” will show you who has deleted a file.

eventid: 4660 4663