Solved

Logging mapped drive creation and file access

Posted on 2016-08-07
3
55 Views
Last Modified: 2016-09-10
I administer a small network. Most users run Terminal Server sessions on one of three 2008R2 servers. A DC and file server is used to store most data, it also runs 2008R2.  

A number of drives are mapped for each user, via GPOs, from the Terminal Server session to shares on the file server.

Recently, one user has been having an additional mapping pop up sporadically. Z: is mapped to a share. For this user, the same share is intentionally mapped as P:, the Z: mapping is spurious.

To investigate further, I put together a script and scheduled it to run every 30 mins that this user is logged on. It simply does a time stamp, then executes "net use z: /d", logging whatever happens. Idea was that this would indicate when this behaviour was occurring, and get rid of the Z: mapping.

The results however, are a little confounding. For days, I just had entries indicating that no Z: was mapped, as expected. Then, one afternoon, the script logged: "There are open files and/or incomplete directory searches  pending on the connection to Z:. Is it OK to continue disconnecting and force them closed? (Y/N) [N]:" I understand the error message, but it only deepens the mystery. No idea what process is doing this, or why.

Does anyone know of a method where I can log:
1. What process is creating the spurious mapping?
2. What files are being accessed via the Z: share?
0
Comment
Question by:Mal Osborne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 28

Accepted Solution

by:
Bill Bach earned 250 total points
ID: 41747883
First, go get the ProcMon utility from SysInternals (now part of Microsoft) at www.sysinternals.com and launch that on the Term Server console.

Second, set up a filter with two items in it:
    - Operation Is FileSystemControl (Include)
    - Path Begins With "\\;Z:"

Start capturing events, and you should see nothing showing up in the trace data, because everything else should be excluded.  Now, when Drive Z comes back, you should see some lines start to appear here.  When it does, look through the detail right around there, and you should be able to answer your questions.  

By the way, on a TermServer, you may need to right-click the column header and select additional columns.  I think you will at least want to add the Process Management items "User Name" and "Session ID", which should help you figure out which user it was.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 250 total points
ID: 41748103
BillBach is correct.. you need to do a procmon trace for the user.

Don't forget to add the user name to the capture filter.. that will help filter out a lot of the spurious noise in the log..  

But, it sounds like you have a program that is mapping the drive by itself..

Coralon
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 41792447
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- BillBach (https:#a41747883)
-- Coralon (https:#a41748103)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question