Who made changes on NTFS file system

Hi experts,

I'm running an information cleanup project where business users "CUT & PASTE" documents on a NTFS file system (Windows server) from one folder to a consolidated destination folder.

How do I know who pasted a specific folder/document into the destination folder?

Remember, these users are cutting from the source which means that the creation date and owner should stay the same as what it was on the source location.

Thanks
PantoffelSlippersAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

the_endjinnCommented:
Hi,

You will need to enable NTFS auditing on the server, it's a local security policy and has a performance impact but it's about the only way to do it without 3rd party tools.

Unfortunately you need to have already enabled it before the change. All the audits end up in the Windows security event log.

http://technet.microsoft.com/en-us/library/cc771070.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PantoffelSlippersAuthor Commented:
Thanks the_endjinn,

I'm not the IT Administrator.  It may be possible that the administrators do have that enabled.  I'll go check out the eventlog now.

Thanks
0
PantoffelSlippersAuthor Commented:
What type of events should I look for?   "Success Audit"?

Thanks
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Miguel Angel Perez MuñozCommented:
I have done a test, moving files between different drives causes change on owner properties. You can check who moves a folder simply checking who is the owner in the moved drive.
0
the_endjinnCommented:
Yes, Success Audit as the failures are attempts without correct permission to the resource. You'll need to search against the files/folders in question within those Success Audits, unfortunately it's not the most straightforward.
0
PantoffelSlippersAuthor Commented:
Thanks the_endjinn,

I see the security log is littered with Success Audit events so I'm guessing they do have it enabled.  Finding it is just a misison now - I'm accessing remotely so it's slow.

I'll update you once I find something.

Thanks
0
PantoffelSlippersAuthor Commented:
Drashiel,

Thank you.

The source location is a DFS structure on a file server.  The destination is another DFS location on the same file server.

I believe this server has many internal drives.  Because the locations are DFS, I cannot really tell what sits on which drive....

Thanks again
0
Miguel Angel Perez MuñozCommented:
I have done test on same server from one drive to another. May you can do a test on your specific environment: make a directory, change owner and move. Then, check who is the owner on the folder.
0
Venugopal NCommented:
If you need to have inbuild tool , then you can go for auditing.

http://support.microsoft.com/kb/310399

Also there are some tools which can audit the file / fodler access.

Changeauditor
ProcessMonitor
Varonis - Which have more features apart from the access audit
http://www.quest.com/changeauditor-for-windows-file-servers/
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
PantoffelSlippersAuthor Commented:
Looks like to the Eventlog on this server can give me what I need - I'm just really struggling to query it....
0
w_richardCommented:
Please set up a auditing for this purpose, But please make sure that windows dosen't create any sort of logs and events by the name of copy and thats the reason you would be unable to guess it by the events. There are few links form which you can set up a manually auditing for your same purpose.

Have a look at these links..
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b18ca99b-db07-4e2e-8f13-67d58a4d1c63/windows-2008-server-files-access-real-time-monitoring

Cheers.
0
PantoffelSlippersAuthor Commented:
Thanks to all
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.