How do I delete files on Win Server 2k8R2?

it_medcomp
it_medcomp used Ask the Experts™
on
I have some files on a Windows 2K8R2 server that will not delete.
All steps are logged in as the domain Administrator account. All command prompts are elevated.
The files are placed by a Ricoh that scans and saves to SMB share on the network. The filenames are alphanumeric. Most have spaces in them, but for testing, I used mostly files with just letters and numbers in the name. Filenames are less than 30 characters, and the network share is a short path as well- in
E:\scans\QC, shared with a servername that is 10 characters long.
net localgroup administrators shows Domain Administrators.
Delete = Access Denied, using the delete key, shift-delete, or right-click delete.
Gui says it cannot display owner information, will not allow take ownership or change owner
attrib lists all files with only the "A" attribute.
attrib *.* -R -A -S -H generates a list of Access Denied next to each filename.
takeown /F filename.pdf /R /A /D Y results: Access Denied
also tried the above using dir /X to get the 8.3 filename- same results
at some point in the past, we were able to delete and recreate the folder, and the results are the same.
Going to the File Sharing role in Server Manager and listing all of the open files does not show any of the files listed in this folder.
Any ideas what else to try, or what the root cause might be?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
FOXActive Directory/Exchange Engineer
Top Expert 2015

Commented:
FOXActive Directory/Exchange Engineer
Top Expert 2015

Commented:
Refer to this link.  You may have to end the explorer process

http://www.sevenforums.com/tutorials/79699-undeletable-file-delete.html
Scott CSenior Engineer

Commented:
Try rebooting the server and then try to delete them.
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Author

Commented:
@SchottCha: Thanks for the suggestion- We tried that before the other troubleshooting, but it didn't fix it.
Scott CSenior Engineer

Commented:
Try Foxluv's suggestion.  I doubt it will work, but it's work a shot.

after that call Ricoh.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Check the advanced permission settings on the folder (Right click folder, click properties, click security tab, click advanced) and clear out any deny entries that are there. If you can't get to that screen, you can try booting the server with the Ultimate Boot CD or similar and delete the files. NTFS permissions only apply when you're in Windows, and if you boot to a different OS, you can usually bypass those permissions.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Get Unlocker (http://download.cnet.com/Unlocker/3000-2248_4-10493998.html) and try Unlocker. I use this to delete stubborn files and it usually works just fine.

Author

Commented:
OK, This problem is getting stranger as I dig deeper. A number of the previously undeletable files have been deleted, but I cannot tell by whom and the other domain admins and end users claim to not have touched the files. This makes sense because the AD domain "Administrator" account cannot delete the files. there are multiple files created by one copier in one location, I cannot take ownership, delete, move, or modify. At this point, I am not worried about the files, but as to why files are being repeatedly created that I cannot modify. This is a standard SMB share that is being written by the same user that all of our other copiers use. The settings are the same, including the username, and the copier uses the same web interface and version as other copiers that scan to unaffected locations. So I don't think the issue is the copier, the server does not report any file locks on the files I cannot delete, I cannot take ownership or delete, ad it doesn't appear to be a user issue. Rebooting does not make the files deletable, and no processes appear to be using them. There is no replication or DFS that might be replacing the files, the ed user machines do not have Offline folders enabled.... anyone have any ideas what I've missed? We even deleted the folder and replaced it with one in a different name/location- The problem persisted. I appreciate any further advice.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I cannot tell by whom and the other domain admins and end users claim to not have touched the files
... files are being repeatedly created that I cannot modify


You need to have enabled auditing on the Server (already) to know this information.

Author

Commented:
It's an ongoing problem, so enabling will at least let me watch from here on. Thanks- I'll see what I can find out.

Author

Commented:
We deleted the folder and it solved the problem... for a week. It is now doing it again, but I had auditing enabled. I can see the process where the copier user logs in from the copier, scans the directory, writes the scanned image... then I lose the trail. I have the folder set to log all events for everyone relating to all operations. The time on the audit log events match the last modified date in the file properties, but there is something that Windows is missing, because the filename is different (so there had to be a rename operation in there somewhere) , ad when I try to take ownership or change securities, all that is logged by the audit is that an attempt was made to access an object. I tried pushing inheritance down from the folder, but that fails. I'd call Ricoh (copier manufacturer) but this appears to be the byproduct of something happening to the files after the copier finishes its operations on them. Also, even if I could delete them, new files are being created by end users all the time there, so I need to find the root cause. There don't seem to be any extra processes running on the server- Anyone have ideas as to what else I can do to eradicate this problem? Thanks again for all the help!
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You need to determine what application is leaving the files behind in a state that denies deletion. It is not a Windows problem, but rather an application issue. You need to narrow down the application and contact their support group.

Author

Commented:
That is what I am trying to do- the problem is that the server is a vanilla file server- I am trying to track down what user or process is messing up the files so I can find out what program it is. I can't just look at the add/remove programs list on the server because there isn't anything extra. If I could figure out the user or computer where the problem is happening, then I could easily solve it, but all I have to go on is that the problem does not seem to originate on the server, it doesn't seem to come from the copier, and I can't seem to get any reporting out of the server to tell me who is using a program that must be installed on a computer on the network accessing these files- that is what we are trying to do.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can run Task Manager and / or Process Explorer (better) from Microsoft and see what is running in the same time frame that files are being produced that cannot be deleted. Google for the name of the problem file in case someone else has seen the same problem and tells you what the application is.

Author

Commented:
This is exactly what I am trying to do, except the only application that I have seen accessing the files is explorer.exe, which means that there is a computer somewhere on the network doing something somehow, and the only way to find it is to determine the user. File system auditing is not providing that information.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Can you please post the name of a file or files you are trying to delete and cannot?

Author

Commented:
PE1225  MHBJ390.pdf
Filenames are generally similar, but when testing I use a filename without a space, in case that space is really an extended ASCII character or something. Yesterday I had about 15-20 files in this folder that I could not delete. I came in a moment ago and there are now only two files. this means either a user deleted them, or perhaps they were in place because something was holding on to a file handle or other metadata and would not let the delete command finish, resulting in a "ghost" file that hung around for a week. I'm going through the audit log now...
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Your printer creates PDF files and it really looks like it is a printer issue.

Do you have Adobe Acrobat installed on the server?  Probably not, but if so, try uninstalling it completely.
Do you have any other PDF maker installed and then also uninstall that.

Do you have the most recent scanner driver for the printer?

Author

Commented:
It's not a printer issue, because someone is renaming the files after they have been scanned. There is no PDF writer or other software- it is Windows Server, with a SMB share the scanner accesses over the network using a domain account (We have quite a few other similar copiers with identical setups using the same username and password- all of these machines are Ricoh scanners.) The user scans the document, and the scanner creates a PDF and saves it into the folder. This has to be how the process works, because the audit log shows the copier user account logging in with a type 3 (Network) login authenticated using NTLMv1- the workstation name matches the copier's name, and this transaction occurs at the time of the file's creation. The only step in the process that the audit log does not reflect is the file's renaming, which happens within seconds of when the file is created. If I knew who was renaming the file, or what process is renaming the file, I could figure this out, but that's the part I can't seem to get.
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
NTLM Authentication Level 1 is for legacy system authentication.  I do not know why the printer needs to do that. I am running out of ideas to determine who is changing the file.

Author

Commented:
This will probably be an ongoing issue until the next computer refresh when the offending client (whichever that is will be replaced. Appreciate the help- all suggestions were helpful!
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
@it_medcomp - Thanks for the update and I was happy to assist you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial