Solved

Determine who created a file on Windows 2000 server

Posted on 2004-10-04
3
193 Views
Last Modified: 2010-03-18
Hello all.

We have a standard Windows 2000 network here at this office.  We have a shared folder with all of the lawyers names in it, and under that, file numbers, precedents, etc.

We have this kind of thing:
\lawyers
     \jim
        \files
          \14343

Very standard stuff as far as folder setup goes.

Now, we have _someone_ in the office, downloading videos off the 'net and burying them deep inside one of these folders.

These babies are 300-400 MB, and are costing me in terms of available HD and filling up my backup.

We are pretty sure we know who is doing it, but would like to know for sure before we confront them.

When I do a right-click/Properties, all I get is the properties of the AVI file itself (i.e. no creator info).

Is there a feature of W2K Server that I can turn on to track who creates what?
Is there any third-party program that does the same thing?
Any other unique ideas?

After this, I am going to implement fixes (block ports on the firewall, etc.) but that will be after this.

Thanks,

TN
0
Comment
Question by:tnorman
3 Comments
 
LVL 82

Accepted Solution

by:
oBdA earned 250 total points
Comment Utility
You can determine that by the ownership. Right-click the file, go to Properties, choose the "Security" tab, click the "Advanced" button, and have a look at the "Owner" tab.
0
 
LVL 9

Expert Comment

by:SirtenKen
Comment Utility
I'm writing this from my XP computer, so the options may be different from the computer where the files are stored. If so, and you get stuck, let me know and I'll find a computer with the OS you're using and do a rewrite.

1) go to a command line and type secpol.msc
2) go to security settings -> local policies -> audit policy -> audit object access -> audit these attempts and select success then OK.
3) go to the folder or drive under which the next file is likely to be created, right click and go to properties -> security -> advanced -> auditing
4) press add and select or type in the name of the suspect(s) from the domain.
5) select 'successful' for create files/write data. press OK and wait while the auditing is applied.
6) Check the security logs from event viewer and you will see the entries there.
7) Right click on the security log and select properties, up the log size to as large as you like, then make sure to select the overwrite option that you think will keep the log small, but will capture the data you want.
8) wait until the suspect creates another file
9) Check the log entry's time which corresponds to the creation time of the file.

Note: Auditing object access will put a performance hit on the computer hard drive, but you'll catch whoever's writing files to your directory. Make sure to turn this off (reverse the steps and remove) when you are finished or if it looks like you're capturing too much data and slowing down the entire system. Some caution is necessary and you may want to alert other admins before you do this.

Microsoft security reference you may want to consult for more info:
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx
0
 
LVL 18

Expert Comment

by:crissand
Comment Utility
On the server: Right click My computer/Manage/Disk management Highlight the disk you want to see and Right click on it, select Properties, the tab Quota and select Enable quota management. Let the server to calculate the amount of files each user has created on the server. Atfer the server is finishing, click the button Quota Entries and you'll se how much space is using each user. Could be more than one that is writing unwanted files on the server. If you want to make them a surprise, give them a disk quota.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now