Windows File Server : How To Enable File Auditing

Windows Server logo

I'm sure you've already heard users complaining that files have mysteriously disappeared.

So in order to solve one of the most frequent mysteries of computer science and incidentally to point out the culprit, it is necessary to activate file auditing.

This will allow us to see all the modifications or accesses for a given folder or file (read access, delete, ACL modification and so on…)

Group Policy

To enable file auditing we need to create a new GPO.

Create GPO

  • Open Group Policy Manager :
Run Group Policy Management Console
  • Create GPO and link it to the OU where your file server is located :
  • Give an explicit name :

Configure GPO

  • Edit the newly created GPO :
  • Go to Computer Configuration > Policies > Windows Settings > Security Settings > Audit Policy and edit Audit object access :
  • Check Success and Failure then click OK :
  • Now go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access and edit Audit File System :
  • Check Success and Failure then click OK :

Windows File Server

Now, we need to connect to our Windows File Server to activate the File Auditing on a folder.

Enable Auditing

Let's say we want to enable audit on this \\SRV-DATA\01-Admin share.

  • Do a right click on the folder and click Properties :
  • Go to Security tab and click Advanced :
  • Go to Auditing tab and click Add :
  • Click Select a principal link :
  • Add Everyone object :
  • Select All and This folder, subfolders and files, and click OK :
Note : to audit Authorization Policy Change, check Full control box

Check GPO is applied

  • We can check that the group policiy is correctly applied with gpresult command :
C:\> gpresult /r /z

Watch Logs

The result of the audit will be available in security log of the event log.

  • Open Event Viewer, and go to Security :
  • Example here with a Read access to the «01-Admin» folder from administrateur account :
  • Example here with «New Text Document (3)» file which has been Deleted by e.cartman account :
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :