Which user deleted a file on an Active Directory-integrated file server ?

blog.payperitem.com,

To determine which user deleted a file on an Active Directory-integrated file server, you need to have auditing enabled beforehand. Here’s a step-by-step to investigate file deletions using Windows File Server Auditing:

✅ Prerequisites: Enable Auditing

If not already done, follow these steps (you won’t see past events unless auditing was enabled before the deletion):

1. Enable Audit Policy in Group Policy

  • Open gpedit.msc or via GPMC for domain-wide settings.
  • Navigate to: Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy
  • Enable:
    • Audit object access → set to Success and Failure

If using Advanced Audit Policy (Windows Server 2008+), go to:

Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit File System

2. Enable Auditing on Folder/File

  • Right-click the folder (e.g., your shared folder), go to Properties → Security → Advanced → Auditing.
  • Add “Everyone” or targeted users/groups.
  • Choose Delete and Delete subfolders and files under “Successful” events.

🔍 Check Who Deleted the File (After Auditing Is Enabled)

Once auditing is configured:

1. Open Event Viewer

  • Go to: Event Viewer → Windows Logs → Security

2. Look for Event ID: 4660

  • This indicates a file was deleted.
  • Also check:
    • 4656 – Access attempt initiated
    • 4663 – File access (includes deletion)
    • 4658 – Handle closed
    • 564 or 5145 – Sometimes show network file access details

3. Details to Look For:

  • Subject: Security ID (user who performed the action)
  • Object Name: Full file path of the deleted file
  • Accesses: DELETE

🛠️ Pro Tip: Use PowerShell to Filter Logs

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4660 } | Format-List

Or to narrow by time:
powershell

$start = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4660; StartTime=$start} |
  ForEach-Object { $_.Message }

📦 Optional: Use 3rd Party Tools

If native auditing is insufficient, consider:

  • Microsoft Advanced Threat Analytics
  • ManageEngine ADAudit Plus
  • Netwrix Auditor
  • Lepide Auditor

These offer easier tracking, real-time alerts, and historical analysis.

Active Directory Networking Server 2025 Windows

Related Posts

Metadata cleanup in Active Directory

Performing metadata cleanup in Active Directory is necessary when a domain controller (DC) has been forcefully removed or decommissioned incorrectly, leaving stale references in AD. This can cause replication issues and other problems. Here’s a step-by-step guide for performing metadata cleanup in Windows Server (applies to Server 2012 and later,…

Read More

Migrating from Google Workspace to Office 365

Migrating from G Suite (now known as Google Workspace) to Microsoft Office 365 (O365) can be a significant undertaking. Below is a comprehensive step-by-step guide to help ensure a smooth transition. Step 1: Planning the Migration Step 2: Prepare Google Workspace Step 3: Setup Office 365 Step 4: Migrate Data…

Read More