Solved

Tracking user as they access files on Windows 2000 & 2003 Server

Posted on 2004-09-01
3
163 Views
Last Modified: 2010-03-18
Is there any way to track users as they access, change or delete file on Windows 2k-2k3 servers.  I've been running into a problem about some users accessing some files and some got deleted.  I need to find out "who and when" accessed the files.
0
Comment
Question by:kfasick
3 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 11957174
First, you need to "turn on" auditing in general on your file server, using either the local security policy or using a domain policy for the servers in question.
Then you need to enable auditing for the users or groups in question on the folders that are of interest.
Don't get too carried away with the auditing, though, this can have a serious impact on the performance of your file server.

HOW TO: Audit User Access of Files, Folders, and Printers in Windows XP
http://support.microsoft.com/?kbid=310399
0
 
LVL 76

Expert Comment

by:David Lee
ID: 11968081
In addition to the "serious impact on the performance of your file server" that oBdA mentioned, you'll also need to be prepared to spend time digging through the event logs looking for the auditing information.  Here's a sample of the type of information you get in the audit log when auditing file and folder events.  You can certainly narrow the search for events down by filtering the event log, but if you're auditing a lot of files and folders and your server is reasonably busy, then you can expect a lot of events to pick through.  

Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      C:\MyFolder\sss.aaa
       Handle ID:      100
       Operation ID:      {0,119750183}
       Process ID:      2104
       Image File Name:      C:\WINDOWS\system32\notepad.exe
       Primary User Name:      MyUserName
       Primary Domain:      MyDomain
       Primary Logon ID:      (0x0,0x17AC3)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:            READ_CONTROL
                  SYNCHRONIZE
                  ReadData (or ListDirectory)
                  WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
                  ReadEA
                  WriteEA
                  ReadAttributes
                  WriteAttributes
                  
       Privileges:            -
       Restricted Sid Count: 0

You might want to consider a utility that monitors folders for changes.  Here's a link to one such product: http://www.gdps.dk/products/watchDirectory.shtml?src=gokwmonfolders

This utility can even be set to notify you via email.  That's pretty handy.  If you do choose to go with auditing, then you might want to consider an application that'll help you sift throught the event logs.
0
 
LVL 4

Expert Comment

by:jonnietexas
ID: 11978296
You might look for some undelete software for the server.  If it's good enough it might tell you who but best of all you might be able to recover the file.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question