Share Access Audit Configuration for Detecting Users Deleting or Creating Files
The program cannot detect a user who deleted or created a file by default. It is necessary to enable the access audit for that share. You can do this in two steps:
1. Configure the audit Group Policy in the system
Run the gpedit.msc command (press Win+R or click Start -> Run...): Policy "Local computer" – "Computer Configuration" - "Windows Settings" - "Security Settings" - "Local Policies" - "Audit Policies" – double click on "Audit object access". Monitoring only successful access is enough. The program performs this step automatically when you click the "Enable audit for the specified folder" button.
2. Enable audit for necessary folders
Do the following:
1) Open the properties dialog for a folder you want to monitor. This dialog is opened automatically when you click the "Enable audit for the specified folder" button.
2) Go to the Security tab and click Advanced. Open the Auditing tab and click Add.
3) On the Auditing Entry for... window, select Object. Click Select object and the standard user selection dialog will be displayed.
4) On the user selection dialog, click Advanced...
and then Search... to display the full system user list. Select Everyone and click ??.
5) Return to the Auditing Entry for... dialog and select events the system should audit for operations with files in the folder. Apply changes on all opened dialogs one by one.
The audit configuration process is now finished for the folder. Windows will add records to Event Log for the selected file operations in this folder. When files are deleted or created in the folder, the program will read Event Log and get an additional information on connected users for who executed the monitored operations.
Please note that the system makes more than 10 records to Event Log for a single file operation. Event Log can grow quite fast so we recommend limiting its size in Event Log settings and look after it.