Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Need help auditing disappearing files

Posted on 2008-10-15
13
Medium Priority
?
2,107 Views
Last Modified: 2012-08-13
I have a server 2008 file server running DFS to allow access to the data by the end users. I have the end users mapped to the namespace and that is how they work, \\domain.com\Production is mapped to T:\

I have an instance in the past few days that someone is coming to me every day saying files are missing randomly and have been deleted and they didn't do it. He also has some files that he said are being rolled back, ie he made changes at 3 PM today, but at 4 PM he went to make more changes and now it shows the file timestamps as 2 PM. This obviously is very confusing so I have taken the following steps...

On the local policy of the server turned on audit Object Access success and failure. I then went to the directory in question at the root and setup Everyone with success/failure on delete and delete subfolders and files.

There has been another case of this happening since I turned it on but I cant seem to find anything in the logs to tell me what is happening. Is there a specific event ID that tells me if it has been deleted? Also what do I need to check to tell me when something is being modified?

EDIT: I also seem to be pulling random logon events into my security log on this local machine when I know for a fact that these users are not logging into the server...what is going on with that?
0
Comment
Question by:mikerunkel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22747813
The missing files can have been moved/renamed instead of deleted. Audit read access to see who last access file.
The incorrect timestamp can be caused by incorrect timezone on client or server.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22749513
let's talk about where these files are saved to:

Are these roaming profiles and the files reside in "My documents"? Are the files sent to the local profiles "my documents" and a copy of these profiles saved on the server? or are these files on the file server and editted directly then saved on the file server?

0
 

Author Comment

by:mikerunkel
ID: 22757592
I double checked and the server is synchronizing with our NTP server so I think the date/time is okay! The person who is missing the files is the last accessor of them all so that doesn't seem out of the ordinary. He is a sophisticated user so I don't think its a user error on accidentally deleting or not saving them.

The files are accessed, edited and saved directly on the file server. We do not use roaming profiles, nor do we use any type of "My Documents" re-direction. Is this method best practice do you think?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mikerunkel
ID: 22840353
Is there anyone who can help with my question?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22923873
Wow, this one slipped through the cracks. I am terribly sorry I haven't been responding to the post.

let's see now, the files are saved locally and they end up disappearing.

So, this may be the attributes of the file. Do you think these files could be hidden from view?
0
 

Author Comment

by:mikerunkel
ID: 22924216
Well when you say locally, you mean locally on the file server? WHen I log in I have all the hidden, and system files shown. None of the ones that tend to be disappearing were known to be ever set as hidden.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22924369
I have run into a similar situation where the administrator thought they had true roaming profiles. Instead they had a copy of the profile saved on the server. The user was editting the copy of the profile. Then, upon logging off, their local profile was written over the top of what they just saved on the server. So, their work disappeared and it looked, (to the user), like their files were disappearing. Acutally they were getting overwritten.

This is why I asked, are these roaming profiles or saved copies of the profile. The user may be trying to edit and save data on a copy of his/her profile.
0
 

Author Comment

by:mikerunkel
ID: 22963142
Ok I think I understand what your saying. The user actually isn't doing anything with his profile...we have a data server, \\data-server\Production mapped out to a drive letter. People just click the drive letter that is mapped to the file server and work off files in that manner. Very little is stored on users Desktop, My Documents or on the C:\ drive itself.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22963264
Oh, I See:

So, these files are saved on the server and you are sure they haven't accidently been saved on the user's local desktop as a user error?
0
 

Author Comment

by:mikerunkel
ID: 23003443
Oh sorry, I missed my notification email that a reply was logged.

Yes correct. I am able to see them on my backups for months then all of a sudden they are not there anymore. The user will typically work on the directory for a month or so then not have to mess with it again for 6-18 months. In theory the files will just sit there until they are worked on again.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 1500 total points
ID: 23039714
What kind of files are these> Are they .reg, .exe, .vbs or any other type of file that could be blocked by an Antivirus program?

Some AV programs will deny accessibility from install or operating system intrusive files from being saved on the server.
0
 

Author Comment

by:mikerunkel
ID: 23098196
They seem to vary, alot of them are .txt files. We do have some .reg files though. So if the AntiVirus program was blocking it, I would need to get on the server to set and exclusion for those folders do you think?
0
 

Author Closing Comment

by:mikerunkel
ID: 31506501
I've not had any more files missing as far as I can tell so I assume this fixed it...
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question