How to extract User information in windows who have transfer or delete files from folder?

Question

i need to find out which user delete or transfer files from one folder to another on windows. In above scenario one system have multiple login that means multiple user access the same system. And i need to find out which user transfer files from one folder to another, even delete the files from particular folder.

Please help me in this.

Thanks

Answer 1

For file deletions, you will want to enable Object logging on the Audit Policy.

• General information on changing the Audit Policy.
• This page lists the Event IDs generated in the Security Log

Here is a blog that walks you through setting it up for file deletions, but in short:

1. In Administrative Tools open Local Security Policy then expand Local Policies | Audit Policy, enable "Success" and potentially "Failure" (if you want to see who tries to delete files).
2. Right click on the directory you want to monitor.
   1. Select Properties
   2. Click on the Security tab
   3. Click on the Advanced button
   4. Click on the Auditing tab
   5. Add the users to monitor (or Everyone)
   6. Select "Successful" and "Failed" for the various Delete options.
3. Monitor the Security Event Log for file delete events

Transferring a file is equivalent to a read followed by a create+write (which may be on a different machine).