Link to home
Start Free TrialLog in
Avatar of kfasick
kfasickFlag for United States of America

asked on

Tracking user as they access files on Windows 2000 & 2003 Server

Is there any way to track users as they access, change or delete file on Windows 2k-2k3 servers.  I've been running into a problem about some users accessing some files and some got deleted.  I need to find out "who and when" accessed the files.
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of David Lee
David Lee
Flag of United States of America image
In addition to the "serious impact on the performance of your file server" that oBdA mentioned, you'll also need to be prepared to spend time digging through the event logs looking for the auditing information.  Here's a sample of the type of information you get in the audit log when auditing file and folder events.  You can certainly narrow the search for events down by filtering the event log, but if you're auditing a lot of files and folders and your server is reasonably busy, then you can expect a lot of events to pick through.  

Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      C:\MyFolder\sss.aaa
       Handle ID:      100
       Operation ID:      {0,119750183}
       Process ID:      2104
       Image File Name:      C:\WINDOWS\system32\notepad.exe
       Primary User Name:      MyUserName
       Primary Domain:      MyDomain
       Primary Logon ID:      (0x0,0x17AC3)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:            READ_CONTROL
                  SYNCHRONIZE
                  ReadData (or ListDirectory)
                  WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
                  ReadEA
                  WriteEA
                  ReadAttributes
                  WriteAttributes
                  
       Privileges:            -
       Restricted Sid Count: 0

You might want to consider a utility that monitors folders for changes.  Here's a link to one such product: http://www.gdps.dk/products/watchDirectory.shtml?src=gokwmonfolders

This utility can even be set to notify you via email.  That's pretty handy.  If you do choose to go with auditing, then you might want to consider an application that'll help you sift throught the event logs.
Avatar of jonnietexas
jonnietexas
You might look for some undelete software for the server.  If it's good enough it might tell you who but best of all you might be able to recover the file.