Consolidating documents and files on a server provides many benefits. Servers reduce data duplication, help ensure everyone has access to the most recent versions of files and perhaps most important of all, keeps track of business content. A recent post, 4 Ways to Detect if your Business Benefits from a Server, covers the many benefits of having a server in greater detail.

However, like most things, there are also issues that can arise. The main flaw of storing files on a server and sharing them is caused when files are deleted. Whether your organization consists of 3 people or 300, files inside shared folders are processed differently than files outside the folder shares, even on the same device. This post explains why these differences matter and how you can track file deletions.

How to Track File Deletions on Windows Server Shares


The big difference

The difference between shared files and files stored in unshared folders is that when files are deleted from a share, they DO NOT go into the recycle bin. Instead, these files are permanently deleted. As a result, these files are at greater risk of being removed from your organization, whether intentionally or accidentally.

This is another reason why having regular backups of your business files is integral to the continuity of every business. Secondary to the ability to restore the deleted file, knowing who deleted the file is also useful. This information can help focus training efforts, and ideally, prevent the issue in the future. Tracking file deletions for shared files is a 3-step process.

First - Enable file deletion auditing for shared files

  • Navigate to the folder being shared.
  • Right-click the folder and select "Properties" from the popup menu.
  • Click on the "Security" tab.
  • Click on the "Advanced" button in the bottom right.

Security tab properties of the Shared folder.

  • In the Advanced window, click on the "Auditing" tab.
  • Click the "Add" button in the bottom left to add an auditing entry.

Where to add an audit entry for a specific folder.

  • In the new Auditing entry, click the "Select a principal" link at the top.

Configurations available when customizing an audit entry.

  • In the Auditing Entry box, type "Everyone" in the box under the heading "Enter the object name to select".
  • Click the "Check Names" box to verify it. It will underline once it has been verified. NOTE: If the item does not verify, check the object spelling.

Adding the Everyone group to an audit entry so everyone deleting files is tracked.

  • Click the "OK" button to save.
  • In the drop down menu next to type, select "All".

Basic permissions available in the audit entry.

  • Click the "Show advanced permissions" link on the right side in the Basic Permissions box.
  • Click the "Clear all" button to remove any checkbox selections.
  • Select the boxes next to "Delete subfolders and files" and "Delete".

Advanced permissions available in the audit entry.

  • Click "OK".
  • Click "Apply".
  • You may see a Windows Security box applying the new security settings.

New security settings being applied to all folders, sub-folders and files the audit entry was applied to.

  • Click "OK" two more times to close the remaining dialog boxes.

Second - Enable auditing in the Group Policy editor

  • Click the Start menu and type "gpedit.msc".
  • Select "Group Policy Editor" to open it.
  • Expand to navigate to the following folder: Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.

Using the group policy editor to navigate to the Audit Policy objects in Local Policies.

  • In the popup, check the boxes to enable "Success" and "Failure" attempts, then click "Apply" and "OK" to close this object.

Adding both success and failure attempts to the auditing object.

The policy shows the new security settings.

The new settings for the auditing object now applied and listed in the Security Setting column.

Third: Create a custom view Event Viewer using a filtered view

  • Click Start and type "Event".
  • Select the "Event Viewer" app to open it.
  • Right-click the "Custom Views" folder and select "Create Custom View...".

Accessing the Custom Views section of the Event Viewer.

  • In the Create Custom View box, select "Event logs:" from the drop down menu.
  • Expand "Windows Logs" and check the box next to "Security"

Creating a filtered view that includes Security logs.

  • Click the drop down menu again to collapse it.
  • In the box with "<All Event IDs>", type "4656".

Adding the event ID for this auditing event.

  • Click "OK" to save the settings.
  • Change the name of the view to something you will remember, like "File Deletion Audit", then click "OK".

Saving the new filtered event viewer custom view.

The custom view is now listed in the Event Viewer.

The newly created File Deletion Audit custom view is now listed under the Custom Views folder in Event Viewer.

Using the filtered custom event viewer, access information about all files deleted from the shared folder. Created events will include the following information:

  • The account (user) that deleted the file.
  • The date and time the file was deleted.
  • The name and location of the file deleted.

Event details from filtered event viewer showing the user who deleted the file, the file deleted, the file location, and the date and time the file was deleted. NOTE: This image has been modified to show information that is only viewable when scrolling through the details.

Consolidating files so they can be shared to multiple users is a great way to provide access to those files without suffering file duplication or version issues. However, files deleted from shares are permanently deleted with no way to recover those files unless a backup system is in place. To track who deletes shared files, follow the 3 steps above. With this information, you can direct further education about how shared files work and caution users about deleting shared files.

As always, the more information you have the better you can protect your business and your data!