Solved

Logging mapped drive creation and file access

Posted on 2016-08-07
3
65 Views
Last Modified: 2016-09-10
I administer a small network. Most users run Terminal Server sessions on one of three 2008R2 servers. A DC and file server is used to store most data, it also runs 2008R2.  

A number of drives are mapped for each user, via GPOs, from the Terminal Server session to shares on the file server.

Recently, one user has been having an additional mapping pop up sporadically. Z: is mapped to a share. For this user, the same share is intentionally mapped as P:, the Z: mapping is spurious.

To investigate further, I put together a script and scheduled it to run every 30 mins that this user is logged on. It simply does a time stamp, then executes "net use z: /d", logging whatever happens. Idea was that this would indicate when this behaviour was occurring, and get rid of the Z: mapping.

The results however, are a little confounding. For days, I just had entries indicating that no Z: was mapped, as expected. Then, one afternoon, the script logged: "There are open files and/or incomplete directory searches  pending on the connection to Z:. Is it OK to continue disconnecting and force them closed? (Y/N) [N]:" I understand the error message, but it only deepens the mystery. No idea what process is doing this, or why.

Does anyone know of a method where I can log:
1. What process is creating the spurious mapping?
2. What files are being accessed via the Z: share?
0
Comment
Question by:Mal Osborne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 28

Accepted Solution

by:
Bill Bach earned 250 total points
ID: 41747883
First, go get the ProcMon utility from SysInternals (now part of Microsoft) at www.sysinternals.com and launch that on the Term Server console.

Second, set up a filter with two items in it:
    - Operation Is FileSystemControl (Include)
    - Path Begins With "\\;Z:"

Start capturing events, and you should see nothing showing up in the trace data, because everything else should be excluded.  Now, when Drive Z comes back, you should see some lines start to appear here.  When it does, look through the detail right around there, and you should be able to answer your questions.  

By the way, on a TermServer, you may need to right-click the column header and select additional columns.  I think you will at least want to add the Process Management items "User Name" and "Session ID", which should help you figure out which user it was.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 250 total points
ID: 41748103
BillBach is correct.. you need to do a procmon trace for the user.

Don't forget to add the user name to the capture filter.. that will help filter out a lot of the spurious noise in the log..  

But, it sounds like you have a program that is mapping the drive by itself..

Coralon
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 41792447
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- BillBach (https:#a41747883)
-- Coralon (https:#a41748103)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question