How to check which user delete a file that is place on network drive

Group Policy
Microsoft Windows Server 2003
Network security
I am using Windows 2003 domain server and in Active Directory, I have made organizational unit of different departments. I also enable auditing features in Windows 2003. Now my question is where I can check which user access which file on the network drives? When I saw it in even viewers of Domain controller, I don't look any entry in it. Please tell me complete guidance so I can track changes and access of network objects. Muhammad Usman

Answer Wiki

Thanks. We'll let you know when a new response is added.

Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events

Auditing is generally turned on through a security policy, which is another part of Group Policy. These security policies are generally accessed through Administrative Tools.


Audit Account Logon Events: Tracks user logon and logoff events.
Audit Account Management: Reports changes to user accounts.
Audit Directory Service Access: Reports access and changes to the directory service. If the system is a member server or XP system, directory service is NTLM-based, and consists of user accounts and group policies.
Audit Logon Events: Reports success/failure of any local or remote access-based logon.
Audit Object Access: Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
Audit Policy Change: Reports changes to group policies.
Audit Privilege Use: Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
Audit Process Tracking: Reports process and program failures. Not security related.
Audit System Events: Reports standard system events. Not security related.
If it becomes necessary to audit file or folder access, the audit policy must be changed, and then the file or folder must be flagged for auditing. From that point, items will appear in the Event Viewer. How the file or folder is accessed is also subject to auditing, and must be decided once auditing of the object is enabled. Every type of permission listed earlier in this chapter is available as a type of access, with each type of access capable of being audited if successful or failed. Read more here.

There is another article which explains how to monitor file deletion on a Windows Machine (Server and Client):

This method of logging file system changes using security auditing can be extended with file read, write, change operations.

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • gmak1
    Hi Muhammed, Have a look at trialling NetFort LANGuardian, it is a network monitoring software that covers file access monitoring and auditing as well as other solution. It should solve your problem if you are still having the issue? Here are some things you may use it for: - Finding out what files have been deleted from a file share and who deleted them. - Identifying the users that have accessed a specific file or file share over a specific time period. - Counting how many files of a given type are shared on the network
    30 pointsBadges:
  • carltonflintoff
    Here is another effective File server auditing tool available from Lepide ( that track all the changes made in file server at granular level and provide the captured data with real time monitoring. It has instant alerts feature that alerts instantly by sending customized email notification of all critical changes so that, you can take appropriate action before the situation becomes more complex.
    175 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: