Which user deleted a file on an Active Directory-integrated file server ?

blog.payperitem.com,

To determine which user deleted a file on an Active Directory-integrated file server, you need to have auditing enabled beforehand. Here’s a step-by-step to investigate file deletions using Windows File Server Auditing:

✅ Prerequisites: Enable Auditing

If not already done, follow these steps (you won’t see past events unless auditing was enabled before the deletion):

1. Enable Audit Policy in Group Policy

  • Open gpedit.msc or via GPMC for domain-wide settings.
  • Navigate to: Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy
  • Enable:
    • Audit object access → set to Success and Failure

If using Advanced Audit Policy (Windows Server 2008+), go to:

Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit File System

2. Enable Auditing on Folder/File

  • Right-click the folder (e.g., your shared folder), go to Properties → Security → Advanced → Auditing.
  • Add “Everyone” or targeted users/groups.
  • Choose Delete and Delete subfolders and files under “Successful” events.

🔍 Check Who Deleted the File (After Auditing Is Enabled)

Once auditing is configured:

1. Open Event Viewer

  • Go to: Event Viewer → Windows Logs → Security

2. Look for Event ID: 4660

  • This indicates a file was deleted.
  • Also check:
    • 4656 – Access attempt initiated
    • 4663 – File access (includes deletion)
    • 4658 – Handle closed
    • 564 or 5145 – Sometimes show network file access details

3. Details to Look For:

  • Subject: Security ID (user who performed the action)
  • Object Name: Full file path of the deleted file
  • Accesses: DELETE

🛠️ Pro Tip: Use PowerShell to Filter Logs

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4660 } | Format-List

Or to narrow by time:
powershell

$start = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4660; StartTime=$start} |
  ForEach-Object { $_.Message }

📦 Optional: Use 3rd Party Tools

If native auditing is insufficient, consider:

  • Microsoft Advanced Threat Analytics
  • ManageEngine ADAudit Plus
  • Netwrix Auditor
  • Lepide Auditor

These offer easier tracking, real-time alerts, and historical analysis.

Active Directory Networking Server 2025 Windows

Related Posts

Configure PAT on firewall

Port Address Translation (PAT), also known as NAT overload, is a technique used to allow multiple devices on a local network to be mapped to a single public IP address (or a few addresses) while maintaining unique private IP addresses for each device. PAT is commonly used in routers and…

Read More
Windows

Diskless Solution

CCBoot is a diskless boot system that will make all of your PCs like new after every single reboot. This means, no more worrying about Spyware, Viruses, and Trojans. Every single time a PC is rebooted, it’s wiped clean, leaving you with the feeling of a fresh install after every…

Read More

Leave a Reply