Solved

Something moving files and folders on server share - anybody ever had this?

Posted on 2006-11-17
14
277 Views
Last Modified: 2010-04-18
Couldn't find Windows 2K Server section so hope it's OK to post here - Our file server runs Windows 2000 Server and over the years, we have occasionally noticed files and folders appearing in other folders.  This doesn't happen often and normally I would put it down to an accident but the way it is happening cannot be done accidentally.  All users are competent and would know if they had cut a folder, moved to another folder and pasted it and for such a small company, this would be a completely pointless task.  This is why I am assuming it is something rather than somebody, so lets concentrate on what could be causing this.

I have since applied auditing but it is so intermittent I doubt this will help.  I just wanted to know if anybody has had a similar problem.

Note: I recently installed a new high capacity SATA drive and moved all data to this, so it can't be an issue with the drive.  The only things actually running on it are -

Veritas Backup Exec every night
Sophos Update

Thanks
0
Comment
Question by:fuzzyfreak
  • 5
  • 4
  • 4
14 Comments
 
LVL 18

Expert Comment

by:PowerIT
ID: 17964641
I'm convinced that this is indeed by accident caused by users. I have seen this happen a lot. Auditing helped to pinpoint a user. Usually a different one each time.
And it always happens to my users at very busy times. And they never know that they did this, or don't want to admit it. And it's also with competent users.
I think that it's not through cut and paste, but through accidental drag and drop in explorer.
It can happen very easy and quick if the folders are not too large on a fast network you wouldn't notice it. And if the user is disturbed at the moment it happens then he certainly would not notice it.

Hope this helps.

J.
0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 17964654
I've had that issue, but I most certainly could not say, "All users are competent."  In fact, that statement seems to be an oxymoron to me.  ;)

0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 17965225
I am still not convinced, very few of our users actually use My Computer, none use Explorer.  This particular incident took 4 enitre folders out of a root folder and placed into another root folder, this cannot be done by accident through drag and drop.  Another folder had all its files taken out that began with a through to b - so the only ones left were from c to z.  The files were then found in another root folder with the sub folder having the same name as the original - so for this to happen, somebody would have had to create a new folder, name it, take out all files from original with name beginning a or b and paste into the new folder.  This would not have achieved anything and there is no reaosn why anybody would be doing this.  I have a lot of respect for our users and disagree with your pretentious comment Adam.

Either way, I'll keep an eye on the audit logs and hopefully will still be able to post to this thread in a years time.
0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 17965335
Fuzzy,

I'm sorry you took the comment as pretentious.  I included a little winky face to let you know it's not entirely in earnest.  Depending on the industry, there can obviously be a higher percentage of competent users than others.  In general, though, most businesses are not comprised of a group of users who understand how things operate on their systems.  If yours is, more the better for you and congrats.

The point I was really trying to make through perhaps a bad attempt at humor is that all users eventually do things like that.  I had folders moved wherein "no one did it", and it was one of my more "competent users" who was just too embarassed to admit it (it was a rather important directory used daily that caused a huge uproar when it "disappeared") and was afraid to move it back.  No big deal; got it fixed and the problem locked down as soon as I figured out it was actually user interaction and not some evil virus.

0
 
LVL 18

Expert Comment

by:PowerIT
ID: 17965341
You also use explorer when opening a file in Word, Excel, PowerPoint etc ...
And the scenario you are describing is very typical: the move starts through e.g. drag and drop. The users sees it, panics and presses cancel. Result: a through b moved, all the rest not. It's so recognizable to me. And users are only human, however well regarded.
Also, if on the same volume rights are copied with the files. With root you probably mean a share isn't it?
What you describe is very possible, but would also depend on the ACL's of the files, folders. Can you post those for a case that happened (including the levels above and the inheritance settings?

J.
0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 17965356
PowerIT,

The cancel button issue sounds exactly like what happened here.  Until I figured that out, I spent a good few hours trying to figure out how the "virus" was moving files beginning with numbers and the letter A, but not anything else :)
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 18

Expert Comment

by:PowerIT
ID: 17965404
Yes Adam, also what you described, it's all so recongizable that I started laughing out loud.
But, fuzzyfreak still gets the benefit of the doubt, until he is convinced or can prove otherwise through logs and showing the ACL's etc.

J.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 17965442
Apology accepted Adam, I knew you were joking and yes, I am very lucky to have raised a competent batch of users, this is all about having a good call logging process and training documentation.  

Thanks both for your input, I must admit I do want to beleive it is user error because I can accept that, if it is a technical issue, I want to know what is causing it.  What you both might be able to help me with is, is there any way of protecting a folder structure at all?  All my users need modify rights to most files on the file server, so how do I protect the folder structure?
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 125 total points
ID: 17966179
I have been thinking about this for years, and my conclusion has alsways been: you can’t without severely restricting the users.
Bear with me:
NTFS has no move permission.  The permissions that include this are delete and write.  If a user has write permission to a folder then they can move anything into that folder. If a user has delete permission to a folder then they can move anything out of that folder. Maybe one day, MS will create it a move permission...
In any case, the users must have read and write permission. That means that he can move/copy also.
You could remove the delete permission, but the user will still be able to copy the folder or file to a location where he has create rights. He will not be able to delete the original and get an error message, but the copy portion of the move will have taken place. And a lot of applications will not be able to handle having write permissions but not delete, when they create a new version of a file.
So the only obvious thing is not giving write permission to the possible destination folders. But that won’t prevent a user from moving to places where he has that permission.

I currently solve those ‘help, the folder has vanished’-calls by using Volume Shadow Copy on 2003 server. Quickly restore the folder so that users can at least revert back to the version of the last snapshot. And then find out where the hell they moved it and do the cleanup work.

Maybe there is a third party tool out there to do just that. But I haven't seen it yet.

J.
0
 
LVL 16

Accepted Solution

by:
AdamRobinson earned 125 total points
ID: 17966375
I also can't give an easy solution.  I moved a lot of it to an internal Sharepoint site, which gave me a bit more control over what was happening (basically by making it harder for a user to accidently destroy something).

Did just give me an idea I'm going to go test though.  Pretty sure it will fail, but what the heck.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 17979096
Interesting idea there Adam about managing through sharepoint - I presume your users can access the server files through companyweb but not through My Computer/Explorer?

Am I to also assume, further to PowerIT's comment, that it still won't stop users making mistakes through the Open File dialogue?  Can you access companyweb through the Open File dialogue and restrict access to the server files?
0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 17982747
Fuzzy:

Correct, they're allowed access to it through Sharepoint, but not through my comp/windows explorer -- at least on the documents and files relegated to Sharepoint land.    

They can still wreak some havoc, but the fact that it requires multiple clicks to perform bad actions now limits it greatly.

This isn't so much about actually making an effective permission list that keeps users from performing bad actions (they still have access to another drive which is shared), but in putting non-prohibitive means of slowing them down on actions like delete.  

0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 18386474
You may go ahead and archive this question.  It has yet to happen again and until it happens a few more times, I will nto be able to diagnose the issue.

I very much appreciate the comments of both participants (Experts)

Many thanks

Fuzzy.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now