Windows File Server : How To Enable File Auditing

Windows Server logo

I'm sure you've already heard users complaining that files have mysteriously disappeared.

So in order to solve one of the most frequent mysteries of computer science and incidentally to point out the culprit, it is necessary to activate file auditing.

This will allow us to see all the modifications or accesses for a given folder or file (read access, delete, ACL modification and so on…)

Group Policy

To enable file auditing we need to create a new GPO.

Create GPO

  • Open Group Policy Manager :
Open Group Policy Management Console from Run window
  • Create GPO and link it to the OU where your file server is located :
Create a GPO from the Group Policy Management console
  • Give an explicit name :
Give a name to a new GPO

Configure GPO

  • Edit the newly created GPO :
Edit a GPO from the Group Policy Management console
  • Go to Computer Configuration > Policies > Windows Settings > Security Settings > Audit Policy and edit Audit object access :
Configure the Audit policy GPO
  • Check Success and Failure then click OK :
Audit object access properties window
  • Now go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access and edit Audit File System :
Edit Audit File System properties from the Group Policy Management console
  • Check Success and Failure then click OK :
Audit File System Properties window

Windows File Server

Now, we need to connect to our Windows File Server to activate the File Auditing on a folder.

Enable Auditing

Let's say we want to enable audit on this \\SRV-DATA\01-Admin share.

Accessing file share from windows file explorer
  • Do a right click on the folder and click Properties :
windows explorer, right click on a folder menu
  • Go to Security tab and click Advanced :
security tab of a folder properties
  • Go to Auditing tab and click Add :
Advanced security settings window
  • Click Select a principal link :
Auditing entry window with the select a principal link
  • Add Everyone object :
Select User, Computer, Service Account or Group window
  • Select All and This folder, subfolders and files, and click OK :
Note : to audit Authorization Policy Change, check Full control box Auditing entry window

Check GPO is applied

  • We can check that the group policiy is correctly applied with gpresult command :
C:\> gpresult /r /z
a windows console with the result of a gpresult command

Watch Logs

The result of the audit will be available in security log of the event log.

  • Open Event Viewer, and go to Security :
open event viewer from run window
  • Example here with a Read access to the «01-Admin» folder from administrateur account :
windows event viewer
  • Example here with «New Text Document (3)» file which has been Deleted by e.cartman account :
windows event viewer
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :