Who accessed my files

I have an employee that has a shared folder on his Wndows Xp machine running in a Domain at work. He has shared the folders so that he can access them over the network when he uses a VPN connection to work from home. But now he finds out that some of his files has been accessed during the night and it has not been him. It says "Date accessed: 01:25".

Is there a way to find out which person/computer has accessed the files through some sort of log? Can there be anything else that has changed the access date for the files during the night, so that this is normal? Btw there is no antivirus og backup that has been scheduled to run at this particular insidence.

 
mintraasAsked:
Who is Participating?
 
delyan_valchevConnect With a Mentor Commented:
Hello,
You may want to turn on the access auditing on the particular shares or particular files. This way you will have the events logged to the Security event log.
Keep in mind that you need to enable the Audit object access setting in the local security policies (if not already defined through GPO). The setting is located in:
 Security Settings->Local Policies->Audit Policy->Audit object access
After that you can enable the auditing by setting the advanced security->auditing on the folders or individual files. If you are really paranoid, enable both success and failure auditing for Everyone on everything. This will have a hit on the performance and also quite some events will be overflowing the security log.

Hope it helps!
0
 
mintraasAuthor Commented:
Ok, so there is no way to see what has already happend to these files when this function is not turned on at the moment?
0
 
antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->Commented:
Bear in mind that AV scanning may affect the date accessed time.

Check to see if any scheduled scans are due to run at that time.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->Commented:
Note to self, please read all the way down the question next time!
0
 
delyan_valchevCommented:
Unfortunately if you have no auditing enabled, you cannot see who or what exactly accessed the particular file. You can however check in the security log the time frame around 01:25 for any authentications from remote computers and/or users. This way you can only suspect someone.
0
 
delyan_valchevCommented:
By the way another culprit may be a some indexing service like Windows Desktop Search or Google Desktop which indexes the supported files in the background. If there is such software installed it's likely to be the cause.
0
 
mintraasAuthor Commented:
Thx. I configured, tested and it works.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.