Solved

Logging mapped drive creation and file access

Posted on 2016-08-07
3
34 Views
Last Modified: 2016-09-10
I administer a small network. Most users run Terminal Server sessions on one of three 2008R2 servers. A DC and file server is used to store most data, it also runs 2008R2.  

A number of drives are mapped for each user, via GPOs, from the Terminal Server session to shares on the file server.

Recently, one user has been having an additional mapping pop up sporadically. Z: is mapped to a share. For this user, the same share is intentionally mapped as P:, the Z: mapping is spurious.

To investigate further, I put together a script and scheduled it to run every 30 mins that this user is logged on. It simply does a time stamp, then executes "net use z: /d", logging whatever happens. Idea was that this would indicate when this behaviour was occurring, and get rid of the Z: mapping.

The results however, are a little confounding. For days, I just had entries indicating that no Z: was mapped, as expected. Then, one afternoon, the script logged: "There are open files and/or incomplete directory searches  pending on the connection to Z:. Is it OK to continue disconnecting and force them closed? (Y/N) [N]:" I understand the error message, but it only deepens the mystery. No idea what process is doing this, or why.

Does anyone know of a method where I can log:
1. What process is creating the spurious mapping?
2. What files are being accessed via the Z: share?
0
Comment
Question by:Malmensa
3 Comments
 
LVL 28

Accepted Solution

by:
Bill Bach earned 250 total points
ID: 41747883
First, go get the ProcMon utility from SysInternals (now part of Microsoft) at www.sysinternals.com and launch that on the Term Server console.

Second, set up a filter with two items in it:
    - Operation Is FileSystemControl (Include)
    - Path Begins With "\\;Z:"

Start capturing events, and you should see nothing showing up in the trace data, because everything else should be excluded.  Now, when Drive Z comes back, you should see some lines start to appear here.  When it does, look through the detail right around there, and you should be able to answer your questions.  

By the way, on a TermServer, you may need to right-click the column header and select additional columns.  I think you will at least want to add the Process Management items "User Name" and "Session ID", which should help you figure out which user it was.
0
 
LVL 23

Assisted Solution

by:Coralon
Coralon earned 250 total points
ID: 41748103
BillBach is correct.. you need to do a procmon trace for the user.

Don't forget to add the user name to the capture filter.. that will help filter out a lot of the spurious noise in the log..  

But, it sounds like you have a program that is mapping the drive by itself..

Coralon
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 41792447
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- BillBach (https:#a41747883)
-- Coralon (https:#a41748103)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now