Solved

Tracking user as they access files on Windows 2000 & 2003 Server

Posted on 2004-09-01
3
164 Views
Last Modified: 2010-03-18
Is there any way to track users as they access, change or delete file on Windows 2k-2k3 servers.  I've been running into a problem about some users accessing some files and some got deleted.  I need to find out "who and when" accessed the files.
0
Comment
Question by:kfasick
3 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 11957174
First, you need to "turn on" auditing in general on your file server, using either the local security policy or using a domain policy for the servers in question.
Then you need to enable auditing for the users or groups in question on the folders that are of interest.
Don't get too carried away with the auditing, though, this can have a serious impact on the performance of your file server.

HOW TO: Audit User Access of Files, Folders, and Printers in Windows XP
http://support.microsoft.com/?kbid=310399
0
 
LVL 76

Expert Comment

by:David Lee
ID: 11968081
In addition to the "serious impact on the performance of your file server" that oBdA mentioned, you'll also need to be prepared to spend time digging through the event logs looking for the auditing information.  Here's a sample of the type of information you get in the audit log when auditing file and folder events.  You can certainly narrow the search for events down by filtering the event log, but if you're auditing a lot of files and folders and your server is reasonably busy, then you can expect a lot of events to pick through.  

Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      C:\MyFolder\sss.aaa
       Handle ID:      100
       Operation ID:      {0,119750183}
       Process ID:      2104
       Image File Name:      C:\WINDOWS\system32\notepad.exe
       Primary User Name:      MyUserName
       Primary Domain:      MyDomain
       Primary Logon ID:      (0x0,0x17AC3)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:            READ_CONTROL
                  SYNCHRONIZE
                  ReadData (or ListDirectory)
                  WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
                  ReadEA
                  WriteEA
                  ReadAttributes
                  WriteAttributes
                  
       Privileges:            -
       Restricted Sid Count: 0

You might want to consider a utility that monitors folders for changes.  Here's a link to one such product: http://www.gdps.dk/products/watchDirectory.shtml?src=gokwmonfolders

This utility can even be set to notify you via email.  That's pretty handy.  If you do choose to go with auditing, then you might want to consider an application that'll help you sift throught the event logs.
0
 
LVL 4

Expert Comment

by:jonnietexas
ID: 11978296
You might look for some undelete software for the server.  If it's good enough it might tell you who but best of all you might be able to recover the file.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question