Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Logging mapped drive creation and file access

Posted on 2016-08-07
3
Medium Priority
?
81 Views
Last Modified: 2016-09-10
I administer a small network. Most users run Terminal Server sessions on one of three 2008R2 servers. A DC and file server is used to store most data, it also runs 2008R2.  

A number of drives are mapped for each user, via GPOs, from the Terminal Server session to shares on the file server.

Recently, one user has been having an additional mapping pop up sporadically. Z: is mapped to a share. For this user, the same share is intentionally mapped as P:, the Z: mapping is spurious.

To investigate further, I put together a script and scheduled it to run every 30 mins that this user is logged on. It simply does a time stamp, then executes "net use z: /d", logging whatever happens. Idea was that this would indicate when this behaviour was occurring, and get rid of the Z: mapping.

The results however, are a little confounding. For days, I just had entries indicating that no Z: was mapped, as expected. Then, one afternoon, the script logged: "There are open files and/or incomplete directory searches  pending on the connection to Z:. Is it OK to continue disconnecting and force them closed? (Y/N) [N]:" I understand the error message, but it only deepens the mystery. No idea what process is doing this, or why.

Does anyone know of a method where I can log:
1. What process is creating the spurious mapping?
2. What files are being accessed via the Z: share?
0
Comment
Question by:Mal Osborne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 28

Accepted Solution

by:
Bill Bach earned 1000 total points
ID: 41747883
First, go get the ProcMon utility from SysInternals (now part of Microsoft) at www.sysinternals.com and launch that on the Term Server console.

Second, set up a filter with two items in it:
    - Operation Is FileSystemControl (Include)
    - Path Begins With "\\;Z:"

Start capturing events, and you should see nothing showing up in the trace data, because everything else should be excluded.  Now, when Drive Z comes back, you should see some lines start to appear here.  When it does, look through the detail right around there, and you should be able to answer your questions.  

By the way, on a TermServer, you may need to right-click the column header and select additional columns.  I think you will at least want to add the Process Management items "User Name" and "Session ID", which should help you figure out which user it was.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 1000 total points
ID: 41748103
BillBach is correct.. you need to do a procmon trace for the user.

Don't forget to add the user name to the capture filter.. that will help filter out a lot of the spurious noise in the log..  

But, it sounds like you have a program that is mapping the drive by itself..

Coralon
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 41792447
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- BillBach (https:#a41747883)
-- Coralon (https:#a41748103)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question