Forum Discussion
Why can't the server generate a report about deleting folders and files?
Hello,
I enabled Audit Policy through the following method:
Open the Local Group Policy Editor (gpedit.msc).
Navigate to Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Object Access.
Open the Audit File System policy and check "Success".
Update Group Policy Settings:
Run the command "gpupdate /force" in Command Prompt to apply the changes.
Then I enabled Audit policy on a folder and created and deleted a folder, but when I check the Event Viewer, there is only an ID of 4663. What is the problem?
Thank you.
Hi, the issue is that event 4663 only logs access, not file deletion.
Here's how to fix it:
-Enable "Audit Handle Manipulation" in addition to "Audit File System" in gpedit.msc.
-Check the access type in the event details - it should include DELETE or DELETE_CHILD.
-Enable event logs 4656 and 4660, which track access requests and deletions.
-Configure folder auditing: Right-click the folder - Properties - Security - Advanced - Auditing - Add an entry to track deletion.
-Run gpupdate /force, delete a file/folder, and check the Event Viewer for the correct logs.
