I have enabled auditing on my Windows 2008 file server. I am audinting who deletes files\folders. I am trying to understand what is the correct event ID to give me that information? I thought that event ID 4656 gives me the information. Is that correct? Please help!!!

This is a link about the event ID 4656: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4656

This is what you should do to enable auditing on who deletes files/folders: 1) enable success and failure auditing for object access (this is required for delete tracking) 2) enable both success and failure auditing for the delete action 3)apply the delete action audit to the Everyone group.

All of that is already complete. But, again, it is not clear what event ID tells me who deleted the file\folder. From what i understand the if "Accesses:" field of event id 4656 has "delete" in it, that dosent necessarily mean that the user deleted the file. It only mean that they have the ability to delete the file. So, what is the correct event id to tell me who deleted the file\folder?

All what I know is that Event ID 560 will appear if a folder is deleted. Try to delete a folder and check the ID events that appear. One of them should give you the user that performed a such thing.

Hi, Thank you for your post here. Once you enable the audit on the folder/file, Event 4663 will be logged which indicates the user account who take actions on the file/folders. An attempt was made to access an object. Subject: Security ID: domain\user Account Name: user Account Domain: domain Logon ID: 0x????? Object: Object Server: Security Object Type: File Object Name: path of the file/folders Handle ID: 0x84c Process Information: Process ID: 0xf00 Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: DELETE Access Mask: 0x10000 ID Message 4659 A handle to an object was requested with intent to delete. 4660 An object was deleted. 4661 A handle to an object was requested. 4663 An attempt was made to access an object.