This will guide you on how to setup audit events for people deleting files of servers, these events will be logged to the "Security" log as Event ID "4656", lets get started.....
Setting up file system auditing
Start secpol.msc → Select the "Security Settings" → Select "Advanced Group Policy Auditing" button → Go to the "Global Object Access Auditing" options, then select the "File System" then double click this.....
Then you need File System, click the "Define" option and click properties.....
Then you need the options below, its for Everyone with "All" as the type, as a delete will usually be successful for administrators, then click the "Clear All" and only select "Delete" and "Delete subfolders and files"
Add the Policy to AGPM
AGPM replaces legacy audit policy, so you do not need to enable it in the legacy location, however, if this is required, for backwards compatibility purposes, you will need to set it in both locations, however, you should NOT be running servers pre-server 2008
Run the Group Policy editor (gpedit.msc) and create and edit a new GPO. Specifically, go to → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → "Advanced Audit Policy Configuration" → Audit Policies → Object Access, and setup as following:
Audit File System → Define → Success and Failures
Audit Handle Manipulation → Define → Success and Failures
Link the new GPO to the server - it will not work without this......
Apply your change by forcing a Group Policy update with this:
gpupdate /force
Reviewing events
Open the Event Viewer and search the security log for event ID 4656 with a task category of "File System" or "Removable Storage" and the string "Accesses: DELETE".
You will notice that is a Failure as when you do a file operation with UAC enabled you get the shield right there, however once you approve that the file is deleted.
This is the event being logged as you can see here, you get the file delete and the program used to delete it, here we can see 1234.txt was deleted with Explorer, however you get more than that, this is the full event....that will tell you the person as well......
A handle to an object was requested.