recently my company has had some issues with some individuals deleting and altering files then claiming they never touched them (or even worse blaming the IT dept for removing their files). If you have users trying to blame their problems on computer errors or magically deleted files you should turn on auditing! File and Folder access auditing is a wonderful component of general auditing that will keep records of file access, deletions, etc etc. Here is how to turn it on.
In these examples i will be using Windows Server 2008 R2 but these same steps work all the way back to 2003 server., we should start by defining a local policy or group policy on the file server. i went with group policy, so that adds a couple extra steps. first open up your group policy management tool and create a new policy (or add the following to an existing one)
Edit the Computer configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Object Access
Then check “define these policy settings” and check the Success and Failure boxes:
Hit ok and we should be done with the policy side editing. its pretty much the same to do a local policy instead of a group policy, but instead go to Start > Control Panel > Administrative tools > Local Security policy > Local Policies > Audit Policy > Audit Object Access. then make the same changes. If your using group policy make sure the policy is applied to the file server you want auditing enabled on.
Now that we have enabled auditing we need to specify the folders/files we want to audit. To do this go to your file server and select the folder you want audited, right click and go to properties. Click the “Security” tab then the Advanced button, then the Auditing tab. This part will require administrative privileges, make sure you are loged in as an administrator. Now in this box add whoever’s access attempts you want audited. i chose to add everyone.
Now click Edit (or ok if this is the first entry) to open the “Auditing Entries” box. Here you should select which actions you want audited. i chose everything just to cover all the bases, but over time you may want to edit this down until you get only the information you need.
Use the drop down at the top to make sure auditing is applied properly (for most uses make sure it says “This Folder, Subfolders and files” as in the picture)
Click OK and auditing is enabled for the specified Folder/users!! You can check the results of the auditing in the Security section of the event viewer! An easy way to find these auditing result sin the event viewer is to look for the Task Category of “File System”.
I hope this helps! If you have any questions please post them in the comments and i will do my best to answer them!