Solved

Need help auditing disappearing files

Posted on 2008-10-15
13
2,102 Views
Last Modified: 2012-08-13
I have a server 2008 file server running DFS to allow access to the data by the end users. I have the end users mapped to the namespace and that is how they work, \\domain.com\Production is mapped to T:\

I have an instance in the past few days that someone is coming to me every day saying files are missing randomly and have been deleted and they didn't do it. He also has some files that he said are being rolled back, ie he made changes at 3 PM today, but at 4 PM he went to make more changes and now it shows the file timestamps as 2 PM. This obviously is very confusing so I have taken the following steps...

On the local policy of the server turned on audit Object Access success and failure. I then went to the directory in question at the root and setup Everyone with success/failure on delete and delete subfolders and files.

There has been another case of this happening since I turned it on but I cant seem to find anything in the logs to tell me what is happening. Is there a specific event ID that tells me if it has been deleted? Also what do I need to check to tell me when something is being modified?

EDIT: I also seem to be pulling random logon events into my security log on this local machine when I know for a fact that these users are not logging into the server...what is going on with that?
0
Comment
Question by:mikerunkel
  • 7
  • 5
13 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22747813
The missing files can have been moved/renamed instead of deleted. Audit read access to see who last access file.
The incorrect timestamp can be caused by incorrect timezone on client or server.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22749513
let's talk about where these files are saved to:

Are these roaming profiles and the files reside in "My documents"? Are the files sent to the local profiles "my documents" and a copy of these profiles saved on the server? or are these files on the file server and editted directly then saved on the file server?

0
 

Author Comment

by:mikerunkel
ID: 22757592
I double checked and the server is synchronizing with our NTP server so I think the date/time is okay! The person who is missing the files is the last accessor of them all so that doesn't seem out of the ordinary. He is a sophisticated user so I don't think its a user error on accidentally deleting or not saving them.

The files are accessed, edited and saved directly on the file server. We do not use roaming profiles, nor do we use any type of "My Documents" re-direction. Is this method best practice do you think?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:mikerunkel
ID: 22840353
Is there anyone who can help with my question?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22923873
Wow, this one slipped through the cracks. I am terribly sorry I haven't been responding to the post.

let's see now, the files are saved locally and they end up disappearing.

So, this may be the attributes of the file. Do you think these files could be hidden from view?
0
 

Author Comment

by:mikerunkel
ID: 22924216
Well when you say locally, you mean locally on the file server? WHen I log in I have all the hidden, and system files shown. None of the ones that tend to be disappearing were known to be ever set as hidden.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22924369
I have run into a similar situation where the administrator thought they had true roaming profiles. Instead they had a copy of the profile saved on the server. The user was editting the copy of the profile. Then, upon logging off, their local profile was written over the top of what they just saved on the server. So, their work disappeared and it looked, (to the user), like their files were disappearing. Acutally they were getting overwritten.

This is why I asked, are these roaming profiles or saved copies of the profile. The user may be trying to edit and save data on a copy of his/her profile.
0
 

Author Comment

by:mikerunkel
ID: 22963142
Ok I think I understand what your saying. The user actually isn't doing anything with his profile...we have a data server, \\data-server\Production mapped out to a drive letter. People just click the drive letter that is mapped to the file server and work off files in that manner. Very little is stored on users Desktop, My Documents or on the C:\ drive itself.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22963264
Oh, I See:

So, these files are saved on the server and you are sure they haven't accidently been saved on the user's local desktop as a user error?
0
 

Author Comment

by:mikerunkel
ID: 23003443
Oh sorry, I missed my notification email that a reply was logged.

Yes correct. I am able to see them on my backups for months then all of a sudden they are not there anymore. The user will typically work on the directory for a month or so then not have to mess with it again for 6-18 months. In theory the files will just sit there until they are worked on again.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 23039714
What kind of files are these> Are they .reg, .exe, .vbs or any other type of file that could be blocked by an Antivirus program?

Some AV programs will deny accessibility from install or operating system intrusive files from being saved on the server.
0
 

Author Comment

by:mikerunkel
ID: 23098196
They seem to vary, alot of them are .txt files. We do have some .reg files though. So if the AntiVirus program was blocking it, I would need to get on the server to set and exclusion for those folders do you think?
0
 

Author Closing Comment

by:mikerunkel
ID: 31506501
I've not had any more files missing as far as I can tell so I assume this fixed it...
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Drive mapping problem 7 47
Recover options for a failed domain. 4 54
McAfee ePO 5.3.1 failure to install 2 45
robocopy question 3 31
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question