An administrator needs to find who deleted files from a department share. Which action should they perform?

Enabling audit object access and specifying files and folders to monitor using Windows Explorer is the appropriate action to identify who deleted files from a department share. This procedure allows the administrator to track specific events related to file access, including deletions, by generating logs that indicate which user account performed the action and when it occurred.

When audit object access is turned on, the system can record detailed information about file operations for the specified objects. By selecting the particular files or folders within Windows Explorer for monitoring, the administrator ensures that all relevant activities can be tracked effectively. The audit logs generated can then be reviewed to determine specific instances of file deletions, including the identity of the user who deleted the files.

This approach focuses on gathering the necessary security-related data that helps in forensic analysis, accountability, and compliance with data protection policies.