It’s a common issue on business networks: someone reports that files have disappeared from a shared folder, and while the files can often be restored from backup, the bigger question is still unanswered: who and when deleted them, and how can you find out what happened?
The good news is that Windows Server includes built-in auditing tools that can help track file deletions and moves without needing expensive third-party software. When configured properly, this can be done with very little impact on server performance.
This is something we regularly help with for businesses in Oxford, Oxfordshire and Buckinghamshire that rely on shared folders and file servers for day-to-day operations.
Why files go missing from a server share
In most cases, files do not simply “disappear”. The usual causes are:
- Accidental deletion by a user
- A file being moved to a different folder
- An application overwriting or replacing a file
- A sync tool, script or automated process making changes
Without auditing enabled, it is very difficult to prove exactly what happened or who was responsible.
The built-in solution: Windows file auditing
Windows Server can log file access activity through Advanced Audit Policy and NTFS auditing. When set up correctly, it can show:
- Who accessed or deleted a file
- What file or folder was affected
- When it happened
- Which process performed the action
The key is to enable auditing only where needed, rather than across the entire drive, to keep performance impact and log noise to a minimum.
Step 1: Enable Audit File System
On the server, enable the following policy via Group Policy:
Computer Configuration
→ Policies
→ Windows Settings
→ Security Settings
→ Advanced Audit Policy Configuration
→ Audit Policies
→ Object Access
→ Audit File SystemFor this type of investigation, Success auditing is the important setting. That records actions that actually happened, such as files being deleted.
If the policy is applied by GPO, you can force it immediately with:
gpupdate /forceNo server reboot is normally required.
Step 2: Apply auditing only to the affected folders
To avoid excessive logging, do not enable auditing on the whole disk unless there is a very specific reason to do so. Instead, apply it only to the shared folders where files are going missing.
To do this:
- Right-click the folder and choose Properties
- Open the Security tab
- Click Advanced
- Open the Auditing tab
- Add a new auditing entry
A typical setup would be:
- Principal: Authenticated Users
- Type: Success
- Applies to: This folder, subfolders and files
For tracking deletions, enable:
- Delete
- Delete subfolders and files
Optionally, you can also enable:
- Create files / write data
- Create folders / append data
Those extra permissions can help with tracking file moves, because moving a file usually results in a delete at the source and a create at the destination. However, they will also generate more log entries, so whether to include them depends on how much detail you need.
Step 3: Check the Security log
Once auditing is enabled, the events are written to:
Event Viewer → Windows Logs → SecurityThe two most relevant event IDs are:
- 4663 – object access event, often includes the full file path and the type of access requested
- 4660 – object deleted event, confirms the deletion but often has less useful detail
In practice, Event ID 4663 is usually the most useful event when trying to identify who deleted or moved a file, because it often contains the file path, username and process name.
Why searching the log can be awkward
One of the frustrations with Windows file auditing is that the logs are not especially easy to search. Although Event Viewer can filter by Event ID, searching for a partial file name or folder name is not always reliable through the GUI alone.
Also, Event ID 4660 often does not expose the file path in a clear way, which is why searching only for “deleted” events can miss the information you actually need.
For that reason, the best approach is usually to search 4663 events and filter by the ObjectName field, which contains the full path of the file or folder when available.
If you need to search partial file/folder name, it’s best to user a PowerShell script to filter the logs.
Does this affect server performance?
This is a common concern, but in most environments the overhead is very low if auditing is configured sensibly.
To keep performance impact minimal, we recommend:
- Auditing only specific problem folders
- Focusing on delete-related events rather than everything
- Avoiding broad auditing of read activity unless genuinely required
Problems usually only arise when auditing is enabled too widely, such as on an entire busy file server volume with many users and many types of access being logged.
When to consider third-party tools
For many small businesses, the built-in Windows tools are enough. However, if you need easier reporting, alerting or long-term auditing, specialist products such as Netwrix or ManageEngine can provide more user-friendly dashboards and reports.
That said, for many organisations in Oxford, Oxfordshire and Buckinghamshire, the built-in Windows Server auditing features are a cost-effective and perfectly workable solution when set up properly.
Final thoughts
If files are regularly “going missing” from a Windows file server, restoring them is only part of the answer. The real value comes from being able to see who did what and when.
By enabling the right auditing settings and using a simple PowerShell search script, you can turn guesswork into evidence and make troubleshooting much easier.
