How can a Windows file server identify who deleted, changed, or accessed a shared file?

Reliable file auditing requires advanced audit policy, folder SACLs, adequate log capacity, central retention, and analysis of event 4663 together with SIDs, ownership, and access paths.

1. Conclusion and scope

Prepare the client and server versions, domain membership, DNS and gateway settings, network location, full error text, event timestamps, and recent changes. The reserved example domain corp.example is used throughout; no customer domain, IP address, account, or device identifier is included.

This issue falls under Windows Server and file permissions. Logs and configuration can often be collected remotely first. Bulk permission changes, switch-path work, production cutovers, and recovery drills should use a controlled implementation window.

2. Symptoms and environment

• Capture the complete error text, event-log timestamp, and failed action rather than relying on a verbal description.
• Record the affected scope, first occurrence, reproducibility, and whether the result changes on another subnet.
• Use Effective Access to evaluate the permissions inherited through group membership, ACL inheritance, and explicit deny entries.

3. Troubleshooting sequence

1. File-deletion auditing requires both the advanced audit policy and a SACL on the target folder. Enabling server policy alone does not record every file action.
2. To trace deletions and changes, configure object-access auditing, an appropriate SACL, sufficient log capacity, and central retention.
3. Size Security logs and central collection for the file volume and event rate; otherwise event 4663 records may be overwritten before an investigation.
4. Interpret audit results using the user SID, group membership, owner, application service account, and access path rather than relying only on a display name.
5. Offboarding must cover account disablement, group membership, file and NAS access, file ownership, VPN, business applications, and a documented handover.
6. Change one variable at a time and export the current configuration before making changes.

auditpol /get /subcategory:"File System"
Get-WinEvent -FilterHashtable @{LogName="Security";Id=4663} -MaxEvents 20 | Format-List TimeCreated,Message

4. Safe remediation and rollout

Start with read-only queries, configuration exports, and one-system validation. Once the root cause is confirmed, define the target scope, change window, and rollback method. In an enterprise environment, migrate per-user permissions to department, role, and project security groups while retaining an access matrix, approvals, and rollback scripts.

• Interpret audit results using the user SID, group membership, owner, application service account, and access path rather than relying only on a display name.
• Offboarding must cover account disablement, group membership, file and NAS access, file ownership, VPN, business applications, and a documented handover.
• Change one variable at a time and export the current configuration before making changes.

5. Validation, rollback and common mistakes

Do not stop when the service works once. Revalidate with the user workflow, logs, a restart or fresh sign-in, another network location where relevant, and the next policy or backup cycle.

Validation and rollback checks

• Change one variable at a time and export the current configuration before making changes.
• To trace deletions and changes, configure object-access auditing, an appropriate SACL, sufficient log capacity, and central retention.
• Remove incorrect cached credentials and stale SMB sessions, then confirm that the client is using the intended domain or local account.

Common mistakes to avoid

• Granting Everyone Full Control as a quick workaround.
• Changing share permissions while ignoring NTFS ACLs and inheritance.
• Resetting ACLs recursively without an export and a pilot folder.