![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 95%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,025 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Note: Based on common issues that we have seen from customers and other sources, we are posting these questions to help the Azure community.
To enable audit logs and identify the account that deleted a folder on your Azure VM, follow these steps:
Configure Audit Policy in Group Policy Object (GPO):
- Open the GPO configuration page by running the command
gpedit.msc. - Navigate to
Computer Configuration>Windows Settings>Security Settings>Local Policies>Audit Policy. - Double-click
Audit object accessto open the Properties window. - Check the box for
Define these policy settings - Click both
SuccessandFailureunderAudit these attempts. - Click
ApplyandOK. - Open Command Prompt as an administrator and run the command
gpupdate /forceto apply the configuration.
In the future if a file or folder is deleted, you can open Event Viewer -> Security Log and check for Event ID 4660 and 4663 to find the account that deleted the file/folder.
References for additional options: