tnorman
asked on
Determine who created a file on Windows 2000 server
Hello all.
We have a standard Windows 2000 network here at this office. We have a shared folder with all of the lawyers names in it, and under that, file numbers, precedents, etc.
We have this kind of thing:
\lawyers
\jim
\files
\14343
Very standard stuff as far as folder setup goes.
Now, we have _someone_ in the office, downloading videos off the 'net and burying them deep inside one of these folders.
These babies are 300-400 MB, and are costing me in terms of available HD and filling up my backup.
We are pretty sure we know who is doing it, but would like to know for sure before we confront them.
When I do a right-click/Properties, all I get is the properties of the AVI file itself (i.e. no creator info).
Is there a feature of W2K Server that I can turn on to track who creates what?
Is there any third-party program that does the same thing?
Any other unique ideas?
After this, I am going to implement fixes (block ports on the firewall, etc.) but that will be after this.
Thanks,
TN
We have a standard Windows 2000 network here at this office. We have a shared folder with all of the lawyers names in it, and under that, file numbers, precedents, etc.
We have this kind of thing:
\lawyers
\jim
\files
\14343
Very standard stuff as far as folder setup goes.
Now, we have _someone_ in the office, downloading videos off the 'net and burying them deep inside one of these folders.
These babies are 300-400 MB, and are costing me in terms of available HD and filling up my backup.
We are pretty sure we know who is doing it, but would like to know for sure before we confront them.
When I do a right-click/Properties, all I get is the properties of the AVI file itself (i.e. no creator info).
Is there a feature of W2K Server that I can turn on to track who creates what?
Is there any third-party program that does the same thing?
Any other unique ideas?
After this, I am going to implement fixes (block ports on the firewall, etc.) but that will be after this.
Thanks,
TN
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On the server: Right click My computer/Manage/Disk management Highlight the disk you want to see and Right click on it, select Properties, the tab Quota and select Enable quota management. Let the server to calculate the amount of files each user has created on the server. Atfer the server is finishing, click the button Quota Entries and you'll se how much space is using each user. Could be more than one that is writing unwanted files on the server. If you want to make them a surprise, give them a disk quota.
1) go to a command line and type secpol.msc
2) go to security settings -> local policies -> audit policy -> audit object access -> audit these attempts and select success then OK.
3) go to the folder or drive under which the next file is likely to be created, right click and go to properties -> security -> advanced -> auditing
4) press add and select or type in the name of the suspect(s) from the domain.
5) select 'successful' for create files/write data. press OK and wait while the auditing is applied.
6) Check the security logs from event viewer and you will see the entries there.
7) Right click on the security log and select properties, up the log size to as large as you like, then make sure to select the overwrite option that you think will keep the log small, but will capture the data you want.
8) wait until the suspect creates another file
9) Check the log entry's time which corresponds to the creation time of the file.
Note: Auditing object access will put a performance hit on the computer hard drive, but you'll catch whoever's writing files to your directory. Make sure to turn this off (reverse the steps and remove) when you are finished or if it looks like you're capturing too much data and slowing down the entire system. Some caution is necessary and you may want to alert other admins before you do this.
Microsoft security reference you may want to consult for more info:
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx