Forum Discussion
Why can't the server generate a report about deleting folders and files?
Hello,
I enabled Audit Policy through the following method:
Open the Local Group Policy Editor (gpedit.msc).
Navigate to Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Object Access.
Open the Audit File System policy and check "Success".
Update Group Policy Settings:
Run the command "gpupdate /force" in Command Prompt to apply the changes.
Then I enabled Audit policy on a folder and created and deleted a folder, but when I check the Event Viewer, there is only an ID of 4663. What is the problem?
Thank you.
2 Replies
Hi, the issue is that event 4663 only logs access, not file deletion.
Here's how to fix it:
-Enable "Audit Handle Manipulation" in addition to "Audit File System" in gpedit.msc.
-Check the access type in the event details - it should include DELETE or DELETE_CHILD.
-Enable event logs 4656 and 4660, which track access requests and deletions.
-Configure folder auditing: Right-click the folder - Properties - Security - Advanced - Auditing - Add an entry to track deletion.
-Run gpupdate /force, delete a file/folder, and check the Event Viewer for the correct logs.Hello,
Thank you so much for your reply.
I knew it. Enabled Audit Handle Manipulation too, but the problem was not solved.
