Folders and files deleted when users log on to network

Posted on 2008-10-03
Last Modified: 2012-05-05
We have an SBS2003 R2 installation with 12 workstations. All users use mapped drives to connect to the data. Sometimes when users log on a large amout of data on the server goes missing. I have set the security log to trap event 560 which I have set to monitor any delete actions. The last time this happened there was a string of events indicating that these files had in fact been deleted by the administrator and the final event said that the contents of the recycle bin had been emptied. I have checked all systems with antivirus software and found nothing - does anyone have any ideas?
Question by:nickjbryan5
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 18

Expert Comment

ID: 22633761
You can change the Administrator password and see if that event still shows the same.
You can download netmon from Microsoft or use Wireshark, whcih is also free, to see if you can identify what user or machine is accessing your server when data are lost.

Expert Comment

ID: 22633892
Are you running any kind of login scripts that could possible be deleting recycle bins and such? Also check your group policies to make sure you don't have any that are clearing files.

Author Comment

ID: 22709689
I have checked login scripts and the group policy logon/logoff and startup/shutdown scripts and can find nothing. I'm not sure whether there are any other scripts in group policy. I also omitted something in the origional post which is that the shared folders also become unshared when this happens. The symptoms also seem to have changed somewhat in that the last couple of times this has happened, the share becomes unshared and I get a long string of event 560 in the security log but the files the log says have been deleted are still there.
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.


Author Comment

ID: 22719136
I have also found entries in some w3svc1 logs that always occur just before the file deletes. An example is

2008-10-13 16:00:03 W3SVC1 PROPFIND /folder name - 80 - Microsoft- webDAB-MiniRedir /5.1.2600 501 0 0

A short time later data will be deleted. Can anyone make sense of this. Thanks.
LVL 18

Expert Comment

ID: 22720620
Looks like the message was generated by the Win XP WebDAV Mini-Redirector.
Take a look at the "Microsoft Wndows Clients" section at the bottom of this link:
It seems like you have IIS runnng that probably has create a virtual directory whcih also being use as the Web folder by client. Or check what has configured on your IIS.

Author Comment

ID: 22721832
I have had a look at the IIS configuration but I can't see anything unusual. The system is a Small Business server 2003 so it has folders for OWA set up by default. There are no unrecognised virtual directories in the setup. Also the folder name I refer to in my previous post (ie PROPFIND /folder name) is the one where files and folders go missing. I have also noticed that the ip address associated with the message does vary and are all local machines. I have attached a log from the w3svc1 service.
LVL 18

Accepted Solution

Americom earned 500 total points
ID: 22722217
The first IP is your IIS server IP. The second IP is an end-user workstation. Check on the workstation and see if they have a WebFolder configured and you may find out what the user is up to. Afterall, those event were generated by their Win XP WebDAV Mini-Redirector as from my above comment. You user may be doing publishing to your IIS Server. He or she may be able to tell you more. You can also get some idea from the following link:

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Problems with VOIP phones and Comcast Business internet connection 27 175
Server 2012 R2 SChannel Error 57 99
Cannot create 365 Migration Endpoint 11 134
Block Hacker? 2 37
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question