How can I audit who has accessed certain files on a Windows 2003 Server?

We had a security hole here that inadvertently caused some drives to be accessible by the entire company. We locked it down, but want to see if anyone may have attempted to open these files and/or copy them. Unfortunately, file auditing was not turned on. Is there any type of trail we could look at to see if there is any temp data left behind? They are mostly MS Word and Excel files. There's about 60 users and computers, so I can go into each computer and look if I need to. Does anyone know the best way to go through and try to track this down?
ryanmnlyAsked:
Who is Participating?
 
Henrik JohanssonSystems engineerCommented:
If auditing wasn't enabled, the answer is no.
0
 
ryanmnlyAuthor Commented:
What about temp files from the Office applications themselves? Do they reside for a certain amount of time in a temp directory?
0
 
Henrik JohanssonSystems engineerCommented:
Temporary files for Office are normally deleted when file is closed.
If auditing wasn't enabled, you will not see any trace if someone has copied the file to somewhere else like a removable drive (USB etc) and open it from the new location.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Rene-StolkerCommented:
There is a way to trace this because every fileaccess is monitored by your local explorer.

0
 
Henrik JohanssonSystems engineerCommented:
The last access timestamp of the file in filesystem isn't a proof that anyone has opened the file as the attribute will also be updated when only displaying file properties (right-click->properties).
The attribute will not be updated when copying the file to another location like a removable drive.
If last access timestamp of the file is updated, it will only be the timestamp without trace of who actual accessed it.
0
 
PhateonCommented:
Plus, it might not be feasible as you will have to audit each and every PC in your company.
0
 
PhateonCommented:
In addition to my comment above, incase you use Office Enterprise 2007, you might find information about about the files accessed using logs in eventvwr.msc and Microsoft Office Sessions if used with RDP.
0
 
ryanmnlyAuthor Commented:
Doesn't look like there is a solution to what I needed to do. I went ahead and took everyone's answers as acceptable replies.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.