Solved

Tracking user as they access files on Windows 2000 & 2003 Server

Posted on 2004-09-01
3
165 Views
Last Modified: 2010-03-18
Is there any way to track users as they access, change or delete file on Windows 2k-2k3 servers.  I've been running into a problem about some users accessing some files and some got deleted.  I need to find out "who and when" accessed the files.
0
Comment
Question by:kfasick
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 11957174
First, you need to "turn on" auditing in general on your file server, using either the local security policy or using a domain policy for the servers in question.
Then you need to enable auditing for the users or groups in question on the folders that are of interest.
Don't get too carried away with the auditing, though, this can have a serious impact on the performance of your file server.

HOW TO: Audit User Access of Files, Folders, and Printers in Windows XP
http://support.microsoft.com/?kbid=310399
0
 
LVL 76

Expert Comment

by:David Lee
ID: 11968081
In addition to the "serious impact on the performance of your file server" that oBdA mentioned, you'll also need to be prepared to spend time digging through the event logs looking for the auditing information.  Here's a sample of the type of information you get in the audit log when auditing file and folder events.  You can certainly narrow the search for events down by filtering the event log, but if you're auditing a lot of files and folders and your server is reasonably busy, then you can expect a lot of events to pick through.  

Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      C:\MyFolder\sss.aaa
       Handle ID:      100
       Operation ID:      {0,119750183}
       Process ID:      2104
       Image File Name:      C:\WINDOWS\system32\notepad.exe
       Primary User Name:      MyUserName
       Primary Domain:      MyDomain
       Primary Logon ID:      (0x0,0x17AC3)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:            READ_CONTROL
                  SYNCHRONIZE
                  ReadData (or ListDirectory)
                  WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
                  ReadEA
                  WriteEA
                  ReadAttributes
                  WriteAttributes
                  
       Privileges:            -
       Restricted Sid Count: 0

You might want to consider a utility that monitors folders for changes.  Here's a link to one such product: http://www.gdps.dk/products/watchDirectory.shtml?src=gokwmonfolders

This utility can even be set to notify you via email.  That's pretty handy.  If you do choose to go with auditing, then you might want to consider an application that'll help you sift throught the event logs.
0
 
LVL 4

Expert Comment

by:jonnietexas
ID: 11978296
You might look for some undelete software for the server.  If it's good enough it might tell you who but best of all you might be able to recover the file.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question