Share via

How can I enable audit logs to find out who deleted a folder on my Azure VM?

ManoharLakkoju 690 Reputation points Microsoft Vendor
2024-10-03T08:49:35.74+00:00

A folder was deleted from a drive on my VM. How can I enable audit logs to find out who deleted the folder?

PS - Based on common issues that we have seen from customers and other sources, we are posting these questions to help the Azure community.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,864 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ManoharLakkoju 690 Reputation points Microsoft Vendor
    2024-10-03T08:50:06.82+00:00

    To enable audit logs and identify the account that deleted a folder on your Azure VM, follow these steps:

    Configure Audit Policy in Group Policy Object (GPO):

    Open the GPO configuration page by running the command gpedit.msc.

    Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.

    Double-click Audit object access to open the Properties window.

    Check the box for Define these policy settings

    Click both Success and Failure under Audit these attempts.

    Click Apply and OK.

    Open Command Prompt as an administrator and run the command gpupdate /force to apply the configuration.

    In the future if a file or folder is deleted, you can open Event Viewer -> Security Log and check for Event ID 4660 and 4663 to find the account that deleted the file/folder.

    References for additional options:

    Create a basic audit policy for an event category

    • Apply a basic audit policy on a file or folderTo enable audit logs and identify the account that deleted a folder on your Azure VM, follow these steps: Configure Audit Policy in Group Policy Object (GPO):
      1. Open the GPO configuration page by running the command gpedit.msc.
      2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
      3. Double-click Audit object access to open the Properties window.
      4. Check the box for Define these policy settings
      5. Click both Success and Failure under Audit these attempts.
      6. Click Apply and OK.
      7. Open Command Prompt as an administrator and run the command gpupdate /force to apply the configuration.
      In the future if a file or folder is deleted, you can open Event Viewer -> Security Log and check for Event ID 4660 and 4663 to find the account that deleted the file/folder. References for additional options:
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.