Determine who created a file on Windows 2000 server

Posted on 2004-10-04
Medium Priority
Last Modified: 2010-03-18
Hello all.

We have a standard Windows 2000 network here at this office.  We have a shared folder with all of the lawyers names in it, and under that, file numbers, precedents, etc.

We have this kind of thing:

Very standard stuff as far as folder setup goes.

Now, we have _someone_ in the office, downloading videos off the 'net and burying them deep inside one of these folders.

These babies are 300-400 MB, and are costing me in terms of available HD and filling up my backup.

We are pretty sure we know who is doing it, but would like to know for sure before we confront them.

When I do a right-click/Properties, all I get is the properties of the AVI file itself (i.e. no creator info).

Is there a feature of W2K Server that I can turn on to track who creates what?
Is there any third-party program that does the same thing?
Any other unique ideas?

After this, I am going to implement fixes (block ports on the firewall, etc.) but that will be after this.


Question by:tnorman
LVL 86

Accepted Solution

oBdA earned 1000 total points
ID: 12225031
You can determine that by the ownership. Right-click the file, go to Properties, choose the "Security" tab, click the "Advanced" button, and have a look at the "Owner" tab.

Expert Comment

ID: 12228407
I'm writing this from my XP computer, so the options may be different from the computer where the files are stored. If so, and you get stuck, let me know and I'll find a computer with the OS you're using and do a rewrite.

1) go to a command line and type secpol.msc
2) go to security settings -> local policies -> audit policy -> audit object access -> audit these attempts and select success then OK.
3) go to the folder or drive under which the next file is likely to be created, right click and go to properties -> security -> advanced -> auditing
4) press add and select or type in the name of the suspect(s) from the domain.
5) select 'successful' for create files/write data. press OK and wait while the auditing is applied.
6) Check the security logs from event viewer and you will see the entries there.
7) Right click on the security log and select properties, up the log size to as large as you like, then make sure to select the overwrite option that you think will keep the log small, but will capture the data you want.
8) wait until the suspect creates another file
9) Check the log entry's time which corresponds to the creation time of the file.

Note: Auditing object access will put a performance hit on the computer hard drive, but you'll catch whoever's writing files to your directory. Make sure to turn this off (reverse the steps and remove) when you are finished or if it looks like you're capturing too much data and slowing down the entire system. Some caution is necessary and you may want to alert other admins before you do this.

Microsoft security reference you may want to consult for more info:
LVL 18

Expert Comment

ID: 12228782
On the server: Right click My computer/Manage/Disk management Highlight the disk you want to see and Right click on it, select Properties, the tab Quota and select Enable quota management. Let the server to calculate the amount of files each user has created on the server. Atfer the server is finishing, click the button Quota Entries and you'll se how much space is using each user. Could be more than one that is writing unwanted files on the server. If you want to make them a surprise, give them a disk quota.

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
I’m a fan of folder redirection, however, it does have a couple of “Gotchas!” you have to look out for.  For example, if you redirect a user’s AppData folder to a DFS namespace, shortcuts on the taskbar are no longer trusted.  Here’s how to fix that.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Watch the video to know how one can repair corrupt Exchange OST file effortlessly and convert OST emails to MS Outlook PST file format by using Kernel for OST to PST converter tool. It can convert OST to MSG, MBOX, EML to access them. It can migrate…

586 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question