Recently I have ran across random file deletions and on terminal services on Windows 2012 R2+ servers. Typically this is automated A/V programs, pre-crypto programs being installed and blocked and even end users just hacking around. This is a great procedure to setup to track and be proactive on file manipulation on Terminal Server management for Windows Servers

File Access Auditing Event IDs

Once you configured above two settings, now you can see the actual events, to view the file access and file change events, follow the below steps.
1. Open the Run window, type the command eventvwr.msc, and click OK.

2. You can see the Event Viewer Management Console, expand the tree node Windows Logs and select Security.

3. Now, you can see lot of events in right-hand side window, but to track file access, we need to check only two event ids, 4656 and 4663. To filter only these two events, right-click on the Security node and click Filter Current Log.
4. Type the event ids 4656 and 4663 as comma separated values and click.

5. Now, result window lists only file access events, you can double-click on any event and check what type action made on the particular file.

4656: This is the first event logged when an user attempts to access the file, this event gives information about what type of access was requested by the user and it will not give info about what type access actually made by user (which is given by the Event ID 4663).
4663: This event gives the info of what type actual operation is done by user on a file. it tells whether the file was created, modified, deleted, or it simply accessed,
4670: This event logged when user changes the permission of the file (security control list).  The event contains the information, who changed the permissions, old and new permissions.
Event 4663 - Delete File Event Source: