Got two Powershell file monitoring scripts to work on Server2k16.
The first one uses .NET objects to track file changes. But it does not give you the usernames associated with deletes. Presents the info to you via a boring .txt file.
The second one parses your security event log for deletes and create events, parses the information, and present it to you in a nifty HTML sheet, you can filter by username etc.
The second one aborted processing when trying to connect to our email server and failed, hence I had no joy with it. Simply commenting the email server part out sees me haz success.
I will need to get the email part working. Did it before with a different powershell script (needs SMTP authentication).
So far so good, it’s cheaper than Netwrix’s utility (which they license per user).