Link to home
Start Free TrialLog in
Avatar of nickjbryan5
nickjbryan5Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Folders and files deleted when users log on to network

We have an SBS2003 R2 installation with 12 workstations. All users use mapped drives to connect to the data. Sometimes when users log on a large amout of data on the server goes missing. I have set the security log to trap event 560 which I have set to monitor any delete actions. The last time this happened there was a string of events indicating that these files had in fact been deleted by the administrator and the final event said that the contents of the recycle bin had been emptied. I have checked all systems with antivirus software and found nothing - does anyone have any ideas?
Avatar of Americom
Americom
Flag of United States of America image

You can change the Administrator password and see if that event still shows the same.
You can download netmon from Microsoft or use Wireshark, whcih is also free, to see if you can identify what user or machine is accessing your server when data are lost.
Avatar of ckozloski
ckozloski

Are you running any kind of login scripts that could possible be deleting recycle bins and such? Also check your group policies to make sure you don't have any that are clearing files.
Avatar of nickjbryan5

ASKER

I have checked login scripts and the group policy logon/logoff and startup/shutdown scripts and can find nothing. I'm not sure whether there are any other scripts in group policy. I also omitted something in the origional post which is that the shared folders also become unshared when this happens. The symptoms also seem to have changed somewhat in that the last couple of times this has happened, the share becomes unshared and I get a long string of event 560 in the security log but the files the log says have been deleted are still there.
I have also found entries in some w3svc1 logs that always occur just before the file deletes. An example is

2008-10-13 16:00:03 W3SVC1 10.0.0.2 PROPFIND /folder name - 80 - 10.0.0.205 Microsoft- webDAB-MiniRedir /5.1.2600 501 0 0

A short time later data will be deleted. Can anyone make sense of this. Thanks.
Looks like the message was generated by the Win XP WebDAV Mini-Redirector.
Take a look at the "Microsoft Wndows Clients" section at the bottom of this link:
http://en.wikipedia.org/wiki/WebDAV
It seems like you have IIS runnng that probably has create a virtual directory whcih also being use as the Web folder by client. Or check what has configured on your IIS.
I have had a look at the IIS configuration but I can't see anything unusual. The system is a Small Business server 2003 so it has folders for OWA set up by default. There are no unrecognised virtual directories in the setup. Also the folder name I refer to in my previous post (ie PROPFIND /folder name) is the one where files and folders go missing. I have also noticed that the ip address associated with the message does vary and are all local machines. I have attached a log from the w3svc1 service.
ex081007.log
ASKER CERTIFIED SOLUTION
Avatar of Americom
Americom
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial