To enable audit logs and identify the account that deleted a folder on your Azure VM, follow these steps:
Configure Audit Policy in Group Policy Object (GPO):
Open the GPO configuration page by running the command gpedit.msc
.
Navigate to Computer Configuration
> Windows Settings
> Security Settings
> Local Policies
> Audit Policy
.
Double-click Audit object access
to open the Properties window.
Check the box for Define these policy settings
Click both Success
and Failure
under Audit these attempts
.
Click Apply
and OK
.
Open Command Prompt as an administrator and run the command gpupdate /force
to apply the configuration.
In the future if a file or folder is deleted, you can open Event Viewer
-> Security Log
and check for Event ID 4660 and 4663 to find the account that deleted the file/folder.
References for additional options:
Create a basic audit policy for an event category
- Apply a basic audit policy on a file or folderTo enable audit logs and identify the account that deleted a folder on your Azure VM, follow these steps: Configure Audit Policy in Group Policy Object (GPO):
- Open the GPO configuration page by running the command
gpedit.msc
. - Navigate to
Computer Configuration
>Windows Settings
>Security Settings
>Local Policies
>Audit Policy
. - Double-click
Audit object access
to open the Properties window. - Check the box for
Define these policy settings
- Click both
Success
andFailure
underAudit these attempts
. - Click
Apply
andOK
. - Open Command Prompt as an administrator and run the command
gpupdate /force
to apply the configuration.
Event Viewer
->Security Log
and check for Event ID 4660 and 4663 to find the account that deleted the file/folder. References for additional options: - Open the GPO configuration page by running the command