How to Enable File Auditing on a Windows File Server

Last updated: Oct 14, 2025

Illustration representing Windows file auditing and file activity monitoring

As a system administrator, you’ve probably dealt with users complaining about files mysteriously disappearing or being modified without explanation.

To identify who accessed, changed, or deleted data on your Windows File Server, you can enable file auditing. This feature records every file access event and helps ensure data security and accountability across your network.

In this guide, we’ll show you step by step how to configure Windows file auditing using Group Policy and view detailed logs in Event Viewer.

Configure File Auditing via Group Policy (GPO)

To enable file auditing we need to create a new GPO.

Create a GPO for File Auditing

Open the Group Policy Management Console on your Windows Server to begin creating the file auditing policy.

Opening the Group Policy Management Console (GPMC) from the Windows Run window

Create a new Group Policy Object (GPO) and link it to the Organizational Unit (OU) that contains your Windows file server. This ensures the file auditing policy will apply correctly to the target server.

Creating and linking a new Group Policy Object (GPO) in the Group Policy Management Console to enable Windows file auditing

Give the GPO a name, for example File Auditing:

Naming the new Group Policy Object as File Auditing in the GPO creation window

Configure the GPO for Windows File Auditing

Edit the newly created Group Policy Object (GPO) to configure the Windows file auditing policy.

Editing the File Auditing Group Policy Object in the Group Policy Management Console

In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy:

In the Group Policy Management Editor, right-click Audit object access under Audit Policy to configure Windows file auditing settings

Select both Success and Failure to log all file access attempts, then click OK to apply the Windows file auditing policy.

Selecting Success and Failure in the Audit object access Properties window to enable Windows file auditing

Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access, then edit Audit File System:

In Group Policy Management, right-click Audit File System under Advanced Audit Policy Configuration to configure Windows file auditing

Select both Success and Failure to record all file access attempts, then click OK to apply the Windows file auditing settings.

Select Success and Failure in the Audit File System Properties window to enable Windows file auditing

Configure File Auditing on the Windows File Server

We now need to connect to our Windows File Server to enable File Auditing on a folder.

Enable File Auditing on the Windows File Server

In this example, we’ll enable Windows file auditing on the shared folder \\SRV-DATA\01-Admin to track file access and modification events.

Select the 01-Admin shared folder on the SRV-DATA Windows File Server to enable file auditing

Right-click the folder on your Windows File Server and select Properties to configure file auditing.

In Windows File Explorer, right-click the 01-Admin folder on the SRV-DATA server and select Properties to enable file auditing

Go to the Security tab of the folder properties and click Advanced to configure Windows file auditing.

In the 01-Admin folder properties, go to the Security tab and click Advanced to configure Windows file auditing permissions

In the Advanced Security Settings window, go to the Auditing tab and click Add to create a new Windows file auditing entry.

In the Advanced Security Settings for 01-Admin, go to the Auditing tab and click Add to create a new Windows file auditing entry

Click the Select a principal link to choose the user or group you want to audit.

In the Auditing Entry for 01-Admin window, click Select a principal to choose the user or group for Windows file auditing

Add the Everyone group as the principal to audit all user access on the folder.

In the Select User or Group window, enter Everyone as the principal and click OK to include all users in the Windows file auditing rule

Select All permissions and choose This folder, subfolders and files, then click OK to apply the Windows file auditing rule.

💡 Tip: if you also need to audit authorization policy changes, check the Full control option.

In the Auditing Entry for 01-Admin window, choose All and This folder, subfolders and files to apply the Windows file auditing rule to all contents

Check if the File Auditing GPO is Applied

You can verify that the Group Policy Object (GPO) for Windows file auditing is correctly applied using the gpresult command:

C:\> gpresult /r /z

Command prompt showing the gpresult output confirming that the File Auditing Group Policy Object is applied on the Windows File Server

View Windows File Auditing Logs

The Windows file auditing events are recorded in the Security log of the Event Viewer.

Open the Event Viewer and navigate to Windows Logs > Security:

In the Windows Run window, type eventvwr and click OK to open the Event Viewer for viewing Windows file auditing logs

Here is an example from the Windows file auditing log showing a Read access to the «01-Admin» folder by the administrateur account:

Windows Event Viewer displaying security event 4663 for a Read access to the 01-Admin folder by the administrateur account in the file auditing log

This example from the Windows file auditing log shows the file «New Text Document (3)» being deleted by the e.cartman account:

Windows Event Viewer displaying security event 4659 for the deletion of New Text Document (3).txt by the e.cartman account in the file auditing log