[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 174
  • Last Modified:

Tracking user as they access files on Windows 2000 & 2003 Server

Is there any way to track users as they access, change or delete file on Windows 2k-2k3 servers.  I've been running into a problem about some users accessing some files and some got deleted.  I need to find out "who and when" accessed the files.
0
kfasick
Asked:
kfasick
1 Solution
 
oBdACommented:
First, you need to "turn on" auditing in general on your file server, using either the local security policy or using a domain policy for the servers in question.
Then you need to enable auditing for the users or groups in question on the folders that are of interest.
Don't get too carried away with the auditing, though, this can have a serious impact on the performance of your file server.

HOW TO: Audit User Access of Files, Folders, and Printers in Windows XP
http://support.microsoft.com/?kbid=310399
0
 
David LeeCommented:
In addition to the "serious impact on the performance of your file server" that oBdA mentioned, you'll also need to be prepared to spend time digging through the event logs looking for the auditing information.  Here's a sample of the type of information you get in the audit log when auditing file and folder events.  You can certainly narrow the search for events down by filtering the event log, but if you're auditing a lot of files and folders and your server is reasonably busy, then you can expect a lot of events to pick through.  

Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      C:\MyFolder\sss.aaa
       Handle ID:      100
       Operation ID:      {0,119750183}
       Process ID:      2104
       Image File Name:      C:\WINDOWS\system32\notepad.exe
       Primary User Name:      MyUserName
       Primary Domain:      MyDomain
       Primary Logon ID:      (0x0,0x17AC3)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:            READ_CONTROL
                  SYNCHRONIZE
                  ReadData (or ListDirectory)
                  WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
                  ReadEA
                  WriteEA
                  ReadAttributes
                  WriteAttributes
                  
       Privileges:            -
       Restricted Sid Count: 0

You might want to consider a utility that monitors folders for changes.  Here's a link to one such product: http://www.gdps.dk/products/watchDirectory.shtml?src=gokwmonfolders

This utility can even be set to notify you via email.  That's pretty handy.  If you do choose to go with auditing, then you might want to consider an application that'll help you sift throught the event logs.
0
 
jonnietexasCommented:
You might look for some undelete software for the server.  If it's good enough it might tell you who but best of all you might be able to recover the file.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now