But basically, I was always able to answer questions ”Who did it? Having followed Mandela’s life for many years I would often hear him use the word dignity.Occasionally, someone deletes a particular important document or folder with a bunch of documents, resulting in a mission-critical data loss.Considering the described incident, few questions immediatelly arise: In Windows OSs, there is an Auditing subsystem built-in, that is capable of logging data about file and folder deletion, as well as user name and executable name that was used to perform an action.This policy enables file, folder and Windows Registry access attempts that were ended in a success.Actually, this is true, we are only interested in a successful file or folder deletion attempts.
Click Advanced → Auditing and add Everyone to the list, then mark both Delete checkboxes: It is highly possible that there will be too much events listed, so it is a good idea to configure the Security event log settings.
In order to enable Auditing, log on to a computer that keeps shared folder structure with administrative permissions, click Start → Run and launch MMC console.
In a Computer Configuration node, open Windows Settings → Security Settings → Local Policies → Audit Policies folder: Double-click Audit object access policy and select Success checkbox.
The Auditing is not enabled by default because any monitoring you use consumes some part of system resources, so tracking down too much events may cause a considerable system slowdown.
Even more, since not all user activity is of interest for logging, Auditing policies enable us capturing only event types that we consider being important.