I'm attempting to audit user deletions of files/folders on my servers. I have four sites/servers, all Win 2003 R2 DCs, current and up to date.As prescribed in numerous online documents I enabled "OBJECT" auditing through the default DC GP. Open the defaul DC group policy, under Computer Configuration/Windows Settings/Local Policies/Audit Policy - Audit object access - success.I've then went to the individual shares & folders and I've enabled the actual auditing of the file/folder objects by right clicking the folder, going to properties, security then advanced. On the advanced dialog I open the Auditing tab and 'add' 'Everyone' 'this folder, sub folders and files' and check the two 'delete' boxes for success.After I delete some test documents & foldersI do not ever see any entries in the security event log (I think they're supposed to be event ID 560 entries...)???Help, what's wrong?

Auditing an object on a domain is not a local policy.The anonymous, anyone and everyone group are separated in 2003 R2 (correct me if I'm wrong).If you're logged onlocally you will not be able to view security audits made on shared objects.It seems that 'event id 560' refers to an audit failure, so I wonder if you're logging security failures as well.Take in account that denying will take prevalence over allowing permissions.I can't be sure what will actually turn out to be the problem/solution. Your question is confusing and interesting. Information is the most valuable commodity I know off.

What I'm attempting to do it audit when users on the domain delete files/folders.What I've done:1. I enabled "OBJECT" auditing through the default Domain Controller Group Policy. 2. I edited the default DC group policy: In the editor, under Computer Configuration/Windows Settings/Local Policies/Audit Policy Under "Audit object access"I have success checked.(this is NOT the local group policy editor - this is a DC you can't get to that - it's in the group policy editor under 'AD Users & Computers')3. Then I opened Windows Explorer and went to the specific files/folders I wanted to audit: -right click the files/folders -go to 'Properties' -'Security' tab -click the 'Advanced' button -choose the 'Auditing' tab -I add 'Everyone' - choose 'this folder and subfolders...' - and then I check the two 'Delete' boxes for "Success"4. After I've deleted some files and folders. I check the security logs and there is nothing there.5. I'm assuming/expecting something to be there and I don't see anything. I also ASSUMED that the eventID for this would be a 560 - but I don't know that because NOTHING is there.All I want to do is be able to tell when someone deletes files/folders on one of my servers. I've Googled for days trying to make this work and I'm doing what I believe/think is right and it does not work.

As far as i see :)all the steps you mentioned are correct, also the event ID is the right one for deleted object. I suggest to check if the group policy is really applied to the DC by using the gpresult, resultant set of policy.also you don't need to enable audit success delete on each file, just check the audit success delete subfolder/files on the folder that contain the files.just fyi, i don't recommend to use the DC as file server as it will increase the attacking surface on it.

As far as I see :-) you did indeed follow all of the steps correctly. What confused me was the way you used terms as 'user' and 'everyone' and it's not clear to me how you tested the environment. It did raise some questions for me personally and did some research myself. I didn't get the idea to check the resultant set of policy however. (pretty funny, come to think of it)In the folder directly beneath theone you used to audit the policy in the console there's an entry which sets the security settings for users who can access 'this' computer from the network. The everyone group does not include all the users you intended, from what I gather so far. I presume you set the audit properties on the DC as a 'domain administrator' and I assume you're looking at the event viewer as a 'local administrator'. I don't think a local administrator is privileged to access audits logmade by a domain administrator. I was looking for some clarification on the way you used the user accountswith my first response but I wasn't specific. I did come across a small list of events; Event 560 is an indicationof an objectbeing accessed. Event 565 specifies an 'attempt' to delete an object; the event doesn't specify a success or failure.Information is the most valuable commodity I know off.

Yes, GPRESULT shows the policy being applied. On one of my branch servers I'm seeing the events. Of course they're impossible to interpret. So, the whole process appears to be a waste of time.All I wanted to do is see when or if people were deleting items. Just something simple - like user xyz deleted file 123.I agree, I wouldn't normally have a file server be on a DC. But this is a very small company and I only have one server per branch office.As it is, it appears my "deletion problem" is actually replication. I've opened a case with MSFT. And no it is not deletions that are getting replicated - replication is actually deleting files.

Great !!! I've just finished another thread on auditing which started in december last year and had been bothering me ever since an MVP untagged my response as answer. Event 560, 562, 565 corresponding to event 4674 in server 2008 seemed to be useless (!) network 'noise'.I'm really curious what MSFT has to say. And thanks for confirming (exactly) what I was thinking about! I've seen a topology depicting the forests on child.microsoft.com and msn.com, because ms has the luxury to install a DC totally separately they do so <bump> Information is the most valuable commodity I know off.