Problems with folder auditing

Question

I have a setup consisting of a Server 2016 and Windows 10 client, on the server, there is a file share I have configured with auditing and I am using the client to access the file share remotely.

The GPO I am using has Audit Object Access and Audit File system enabled and for the auditing, I configured Everyone with delete and delete subfolders and files.

When I delete a folder I get 4660 (An object was deleted) which is what I expected but when I delete a file I get 4659 (A handle to an object was requested with intent to delete) but no 4660. Is this supposed to be correct, does deleting a file and folder generate different event IDs? Does 4659 represent file deletion or just an attempt of file deletion?

If this is correct, is there a possible way for both events (file or folder deletion) to have same event IDs so I can make auditing easier.

Answer 1

Hi,

To audit the deletion of the files or folders, the event 4663 should be the one we are going to check no matter for a file or a folder deletion since the event include all the information you needed. Such as:

who access the files or folders
information of the object type: files or folders
Process name: for example, explore.exe
Accesses: Delete

4663(S): An attempt was made to access an object.

Event 4660 should also be logged, but there is no object type information.
Event 4659 should be logged whenever user install a patch that requires replacement of a file that is already opened by Windows and can't be closed until shut down.

I also did a test in my lab to audit the deletion operation.

We enable the audit policy for Object Access,

Enable the folder audit:

When we delete a file or folder, event 4663 was logged.