Solved

Determine who created a file on Windows 2000 server

Posted on 2004-10-04
3
195 Views
Last Modified: 2010-03-18
Hello all.

We have a standard Windows 2000 network here at this office.  We have a shared folder with all of the lawyers names in it, and under that, file numbers, precedents, etc.

We have this kind of thing:
\lawyers
     \jim
        \files
          \14343

Very standard stuff as far as folder setup goes.

Now, we have _someone_ in the office, downloading videos off the 'net and burying them deep inside one of these folders.

These babies are 300-400 MB, and are costing me in terms of available HD and filling up my backup.

We are pretty sure we know who is doing it, but would like to know for sure before we confront them.

When I do a right-click/Properties, all I get is the properties of the AVI file itself (i.e. no creator info).

Is there a feature of W2K Server that I can turn on to track who creates what?
Is there any third-party program that does the same thing?
Any other unique ideas?

After this, I am going to implement fixes (block ports on the firewall, etc.) but that will be after this.

Thanks,

TN
0
Comment
Question by:tnorman
3 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 250 total points
ID: 12225031
You can determine that by the ownership. Right-click the file, go to Properties, choose the "Security" tab, click the "Advanced" button, and have a look at the "Owner" tab.
0
 
LVL 9

Expert Comment

by:SirtenKen
ID: 12228407
I'm writing this from my XP computer, so the options may be different from the computer where the files are stored. If so, and you get stuck, let me know and I'll find a computer with the OS you're using and do a rewrite.

1) go to a command line and type secpol.msc
2) go to security settings -> local policies -> audit policy -> audit object access -> audit these attempts and select success then OK.
3) go to the folder or drive under which the next file is likely to be created, right click and go to properties -> security -> advanced -> auditing
4) press add and select or type in the name of the suspect(s) from the domain.
5) select 'successful' for create files/write data. press OK and wait while the auditing is applied.
6) Check the security logs from event viewer and you will see the entries there.
7) Right click on the security log and select properties, up the log size to as large as you like, then make sure to select the overwrite option that you think will keep the log small, but will capture the data you want.
8) wait until the suspect creates another file
9) Check the log entry's time which corresponds to the creation time of the file.

Note: Auditing object access will put a performance hit on the computer hard drive, but you'll catch whoever's writing files to your directory. Make sure to turn this off (reverse the steps and remove) when you are finished or if it looks like you're capturing too much data and slowing down the entire system. Some caution is necessary and you may want to alert other admins before you do this.

Microsoft security reference you may want to consult for more info:
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx
0
 
LVL 18

Expert Comment

by:crissand
ID: 12228782
On the server: Right click My computer/Manage/Disk management Highlight the disk you want to see and Right click on it, select Properties, the tab Quota and select Enable quota management. Let the server to calculate the amount of files each user has created on the server. Atfer the server is finishing, click the button Quota Entries and you'll se how much space is using each user. Could be more than one that is writing unwanted files on the server. If you want to make them a surprise, give them a disk quota.
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now