Solved

Need help auditing disappearing files

Posted on 2008-10-15
13
2,095 Views
Last Modified: 2012-08-13
I have a server 2008 file server running DFS to allow access to the data by the end users. I have the end users mapped to the namespace and that is how they work, \\domain.com\Production is mapped to T:\

I have an instance in the past few days that someone is coming to me every day saying files are missing randomly and have been deleted and they didn't do it. He also has some files that he said are being rolled back, ie he made changes at 3 PM today, but at 4 PM he went to make more changes and now it shows the file timestamps as 2 PM. This obviously is very confusing so I have taken the following steps...

On the local policy of the server turned on audit Object Access success and failure. I then went to the directory in question at the root and setup Everyone with success/failure on delete and delete subfolders and files.

There has been another case of this happening since I turned it on but I cant seem to find anything in the logs to tell me what is happening. Is there a specific event ID that tells me if it has been deleted? Also what do I need to check to tell me when something is being modified?

EDIT: I also seem to be pulling random logon events into my security log on this local machine when I know for a fact that these users are not logging into the server...what is going on with that?
0
Comment
Question by:mikerunkel
  • 7
  • 5
13 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
The missing files can have been moved/renamed instead of deleted. Audit read access to see who last access file.
The incorrect timestamp can be caused by incorrect timezone on client or server.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
let's talk about where these files are saved to:

Are these roaming profiles and the files reside in "My documents"? Are the files sent to the local profiles "my documents" and a copy of these profiles saved on the server? or are these files on the file server and editted directly then saved on the file server?

0
 

Author Comment

by:mikerunkel
Comment Utility
I double checked and the server is synchronizing with our NTP server so I think the date/time is okay! The person who is missing the files is the last accessor of them all so that doesn't seem out of the ordinary. He is a sophisticated user so I don't think its a user error on accidentally deleting or not saving them.

The files are accessed, edited and saved directly on the file server. We do not use roaming profiles, nor do we use any type of "My Documents" re-direction. Is this method best practice do you think?
0
 

Author Comment

by:mikerunkel
Comment Utility
Is there anyone who can help with my question?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Wow, this one slipped through the cracks. I am terribly sorry I haven't been responding to the post.

let's see now, the files are saved locally and they end up disappearing.

So, this may be the attributes of the file. Do you think these files could be hidden from view?
0
 

Author Comment

by:mikerunkel
Comment Utility
Well when you say locally, you mean locally on the file server? WHen I log in I have all the hidden, and system files shown. None of the ones that tend to be disappearing were known to be ever set as hidden.
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I have run into a similar situation where the administrator thought they had true roaming profiles. Instead they had a copy of the profile saved on the server. The user was editting the copy of the profile. Then, upon logging off, their local profile was written over the top of what they just saved on the server. So, their work disappeared and it looked, (to the user), like their files were disappearing. Acutally they were getting overwritten.

This is why I asked, are these roaming profiles or saved copies of the profile. The user may be trying to edit and save data on a copy of his/her profile.
0
 

Author Comment

by:mikerunkel
Comment Utility
Ok I think I understand what your saying. The user actually isn't doing anything with his profile...we have a data server, \\data-server\Production mapped out to a drive letter. People just click the drive letter that is mapped to the file server and work off files in that manner. Very little is stored on users Desktop, My Documents or on the C:\ drive itself.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Oh, I See:

So, these files are saved on the server and you are sure they haven't accidently been saved on the user's local desktop as a user error?
0
 

Author Comment

by:mikerunkel
Comment Utility
Oh sorry, I missed my notification email that a reply was logged.

Yes correct. I am able to see them on my backups for months then all of a sudden they are not there anymore. The user will typically work on the directory for a month or so then not have to mess with it again for 6-18 months. In theory the files will just sit there until they are worked on again.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
Comment Utility
What kind of files are these> Are they .reg, .exe, .vbs or any other type of file that could be blocked by an Antivirus program?

Some AV programs will deny accessibility from install or operating system intrusive files from being saved on the server.
0
 

Author Comment

by:mikerunkel
Comment Utility
They seem to vary, alot of them are .txt files. We do have some .reg files though. So if the AntiVirus program was blocking it, I would need to get on the server to set and exclusion for those folders do you think?
0
 

Author Closing Comment

by:mikerunkel
Comment Utility
I've not had any more files missing as far as I can tell so I assume this fixed it...
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now