How do I delete files on Win Server 2k8R2?

I have some files on a Windows 2K8R2 server that will not delete.
All steps are logged in as the domain Administrator account. All command prompts are elevated.
The files are placed by a Ricoh that scans and saves to SMB share on the network. The filenames are alphanumeric. Most have spaces in them, but for testing, I used mostly files with just letters and numbers in the name. Filenames are less than 30 characters, and the network share is a short path as well- in
E:\scans\QC, shared with a servername that is 10 characters long.
net localgroup administrators shows Domain Administrators.
Delete = Access Denied, using the delete key, shift-delete, or right-click delete.
Gui says it cannot display owner information, will not allow take ownership or change owner
attrib lists all files with only the "A" attribute.
attrib *.* -R -A -S -H generates a list of Access Denied next to each filename.
takeown /F filename.pdf /R /A /D Y results: Access Denied
also tried the above using dir /X to get the 8.3 filename- same results
at some point in the past, we were able to delete and recreate the folder, and the results are the same.
Going to the File Sharing role in Server Manager and listing all of the open files does not show any of the files listed in this folder.
Any ideas what else to try, or what the root cause might be?
LVL 1
it_medcompAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FOXActive Directory/Exchange EngineerCommented:
FOXActive Directory/Exchange EngineerCommented:
Refer to this link.  You may have to end the explorer process

http://www.sevenforums.com/tutorials/79699-undeletable-file-delete.html
Scott CSenior EngineerCommented:
Try rebooting the server and then try to delete them.
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

it_medcompAuthor Commented:
@SchottCha: Thanks for the suggestion- We tried that before the other troubleshooting, but it didn't fix it.
Scott CSenior EngineerCommented:
Try Foxluv's suggestion.  I doubt it will work, but it's work a shot.

after that call Ricoh.
Adam BrownSenior Systems AdminCommented:
Check the advanced permission settings on the folder (Right click folder, click properties, click security tab, click advanced) and clear out any deny entries that are there. If you can't get to that screen, you can try booting the server with the Ultimate Boot CD or similar and delete the files. NTFS permissions only apply when you're in Windows, and if you boot to a different OS, you can usually bypass those permissions.
JohnBusiness Consultant (Owner)Commented:
Get Unlocker (http://download.cnet.com/Unlocker/3000-2248_4-10493998.html) and try Unlocker. I use this to delete stubborn files and it usually works just fine.
it_medcompAuthor Commented:
OK, This problem is getting stranger as I dig deeper. A number of the previously undeletable files have been deleted, but I cannot tell by whom and the other domain admins and end users claim to not have touched the files. This makes sense because the AD domain "Administrator" account cannot delete the files. there are multiple files created by one copier in one location, I cannot take ownership, delete, move, or modify. At this point, I am not worried about the files, but as to why files are being repeatedly created that I cannot modify. This is a standard SMB share that is being written by the same user that all of our other copiers use. The settings are the same, including the username, and the copier uses the same web interface and version as other copiers that scan to unaffected locations. So I don't think the issue is the copier, the server does not report any file locks on the files I cannot delete, I cannot take ownership or delete, ad it doesn't appear to be a user issue. Rebooting does not make the files deletable, and no processes appear to be using them. There is no replication or DFS that might be replacing the files, the ed user machines do not have Offline folders enabled.... anyone have any ideas what I've missed? We even deleted the folder and replaced it with one in a different name/location- The problem persisted. I appreciate any further advice.
JohnBusiness Consultant (Owner)Commented:
I cannot tell by whom and the other domain admins and end users claim to not have touched the files
... files are being repeatedly created that I cannot modify


You need to have enabled auditing on the Server (already) to know this information.
it_medcompAuthor Commented:
It's an ongoing problem, so enabling will at least let me watch from here on. Thanks- I'll see what I can find out.
it_medcompAuthor Commented:
We deleted the folder and it solved the problem... for a week. It is now doing it again, but I had auditing enabled. I can see the process where the copier user logs in from the copier, scans the directory, writes the scanned image... then I lose the trail. I have the folder set to log all events for everyone relating to all operations. The time on the audit log events match the last modified date in the file properties, but there is something that Windows is missing, because the filename is different (so there had to be a rename operation in there somewhere) , ad when I try to take ownership or change securities, all that is logged by the audit is that an attempt was made to access an object. I tried pushing inheritance down from the folder, but that fails. I'd call Ricoh (copier manufacturer) but this appears to be the byproduct of something happening to the files after the copier finishes its operations on them. Also, even if I could delete them, new files are being created by end users all the time there, so I need to find the root cause. There don't seem to be any extra processes running on the server- Anyone have ideas as to what else I can do to eradicate this problem? Thanks again for all the help!
JohnBusiness Consultant (Owner)Commented:
You need to determine what application is leaving the files behind in a state that denies deletion. It is not a Windows problem, but rather an application issue. You need to narrow down the application and contact their support group.
it_medcompAuthor Commented:
That is what I am trying to do- the problem is that the server is a vanilla file server- I am trying to track down what user or process is messing up the files so I can find out what program it is. I can't just look at the add/remove programs list on the server because there isn't anything extra. If I could figure out the user or computer where the problem is happening, then I could easily solve it, but all I have to go on is that the problem does not seem to originate on the server, it doesn't seem to come from the copier, and I can't seem to get any reporting out of the server to tell me who is using a program that must be installed on a computer on the network accessing these files- that is what we are trying to do.
JohnBusiness Consultant (Owner)Commented:
You can run Task Manager and / or Process Explorer (better) from Microsoft and see what is running in the same time frame that files are being produced that cannot be deleted. Google for the name of the problem file in case someone else has seen the same problem and tells you what the application is.
it_medcompAuthor Commented:
This is exactly what I am trying to do, except the only application that I have seen accessing the files is explorer.exe, which means that there is a computer somewhere on the network doing something somehow, and the only way to find it is to determine the user. File system auditing is not providing that information.
JohnBusiness Consultant (Owner)Commented:
Can you please post the name of a file or files you are trying to delete and cannot?
it_medcompAuthor Commented:
PE1225  MHBJ390.pdf
Filenames are generally similar, but when testing I use a filename without a space, in case that space is really an extended ASCII character or something. Yesterday I had about 15-20 files in this folder that I could not delete. I came in a moment ago and there are now only two files. this means either a user deleted them, or perhaps they were in place because something was holding on to a file handle or other metadata and would not let the delete command finish, resulting in a "ghost" file that hung around for a week. I'm going through the audit log now...
JohnBusiness Consultant (Owner)Commented:
Your printer creates PDF files and it really looks like it is a printer issue.

Do you have Adobe Acrobat installed on the server?  Probably not, but if so, try uninstalling it completely.
Do you have any other PDF maker installed and then also uninstall that.

Do you have the most recent scanner driver for the printer?
it_medcompAuthor Commented:
It's not a printer issue, because someone is renaming the files after they have been scanned. There is no PDF writer or other software- it is Windows Server, with a SMB share the scanner accesses over the network using a domain account (We have quite a few other similar copiers with identical setups using the same username and password- all of these machines are Ricoh scanners.) The user scans the document, and the scanner creates a PDF and saves it into the folder. This has to be how the process works, because the audit log shows the copier user account logging in with a type 3 (Network) login authenticated using NTLMv1- the workstation name matches the copier's name, and this transaction occurs at the time of the file's creation. The only step in the process that the audit log does not reflect is the file's renaming, which happens within seconds of when the file is created. If I knew who was renaming the file, or what process is renaming the file, I could figure this out, but that's the part I can't seem to get.
JohnBusiness Consultant (Owner)Commented:
NTLM Authentication Level 1 is for legacy system authentication.  I do not know why the printer needs to do that. I am running out of ideas to determine who is changing the file.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
it_medcompAuthor Commented:
This will probably be an ongoing issue until the next computer refresh when the offending client (whichever that is will be replaced. Appreciate the help- all suggestions were helpful!
JohnBusiness Consultant (Owner)Commented:
@it_medcomp - Thanks for the update and I was happy to assist you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.