kfasick
asked on
Tracking user as they access files on Windows 2000 & 2003 Server
Is there any way to track users as they access, change or delete file on Windows 2k-2k3 servers. I've been running into a problem about some users accessing some files and some got deleted. I need to find out "who and when" accessed the files.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You might look for some undelete software for the server. If it's good enough it might tell you who but best of all you might be able to recover the file.
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\MyFolder\sss.aaa
Handle ID: 100
Operation ID: {0,119750183}
Process ID: 2104
Image File Name: C:\WINDOWS\system32\notepa
Primary User Name: MyUserName
Primary Domain: MyDomain
Primary Logon ID: (0x0,0x17AC3)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
You might want to consider a utility that monitors folders for changes. Here's a link to one such product: http://www.gdps.dk/products/watchDirectory.shtml?src=gokwmonfolders
This utility can even be set to notify you via email. That's pretty handy. If you do choose to go with auditing, then you might want to consider an application that'll help you sift throught the event logs.