Solved

Logging mapped drive creation and file access

Posted on 2016-08-07
3
50 Views
Last Modified: 2016-09-10
I administer a small network. Most users run Terminal Server sessions on one of three 2008R2 servers. A DC and file server is used to store most data, it also runs 2008R2.  

A number of drives are mapped for each user, via GPOs, from the Terminal Server session to shares on the file server.

Recently, one user has been having an additional mapping pop up sporadically. Z: is mapped to a share. For this user, the same share is intentionally mapped as P:, the Z: mapping is spurious.

To investigate further, I put together a script and scheduled it to run every 30 mins that this user is logged on. It simply does a time stamp, then executes "net use z: /d", logging whatever happens. Idea was that this would indicate when this behaviour was occurring, and get rid of the Z: mapping.

The results however, are a little confounding. For days, I just had entries indicating that no Z: was mapped, as expected. Then, one afternoon, the script logged: "There are open files and/or incomplete directory searches  pending on the connection to Z:. Is it OK to continue disconnecting and force them closed? (Y/N) [N]:" I understand the error message, but it only deepens the mystery. No idea what process is doing this, or why.

Does anyone know of a method where I can log:
1. What process is creating the spurious mapping?
2. What files are being accessed via the Z: share?
0
Comment
Question by:Mal Osborne
3 Comments
 
LVL 28

Accepted Solution

by:
Bill Bach earned 250 total points
ID: 41747883
First, go get the ProcMon utility from SysInternals (now part of Microsoft) at www.sysinternals.com and launch that on the Term Server console.

Second, set up a filter with two items in it:
    - Operation Is FileSystemControl (Include)
    - Path Begins With "\\;Z:"

Start capturing events, and you should see nothing showing up in the trace data, because everything else should be excluded.  Now, when Drive Z comes back, you should see some lines start to appear here.  When it does, look through the detail right around there, and you should be able to answer your questions.  

By the way, on a TermServer, you may need to right-click the column header and select additional columns.  I think you will at least want to add the Process Management items "User Name" and "Session ID", which should help you figure out which user it was.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 250 total points
ID: 41748103
BillBach is correct.. you need to do a procmon trace for the user.

Don't forget to add the user name to the capture filter.. that will help filter out a lot of the spurious noise in the log..  

But, it sounds like you have a program that is mapping the drive by itself..

Coralon
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 41792447
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- BillBach (https:#a41747883)
-- Coralon (https:#a41748103)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question