Note: Based on common issues that we have seen from customers and other sources, we are posting these questions to help the Azure community.
To enable audit logs and identify the account that deleted a folder on your Azure VM, follow these steps:
Configure Audit Policy in Group Policy Object (GPO):
- Open the GPO configuration page by running the command
gpedit.msc
. - Navigate to
Computer Configuration
>Windows Settings
>Security Settings
>Local Policies
>Audit Policy
. - Double-click
Audit object access
to open the Properties window. - Check the box for
Define these policy settings
- Click both
Success
andFailure
underAudit these attempts
. - Click
Apply
andOK
. - Open Command Prompt as an administrator and run the command
gpupdate /force
to apply the configuration.
In the future if a file or folder is deleted, you can open Event Viewer
-> Security Log
and check for Event ID 4660 and 4663 to find the account that deleted the file/folder.
References for additional options: