Logging mapped drive creation and file access
Posted on 2016-08-07
I administer a small network. Most users run Terminal Server sessions on one of three 2008R2 servers. A DC and file server is used to store most data, it also runs 2008R2.
A number of drives are mapped for each user, via GPOs, from the Terminal Server session to shares on the file server.
Recently, one user has been having an additional mapping pop up sporadically. Z: is mapped to a share. For this user, the same share is intentionally mapped as P:, the Z: mapping is spurious.
To investigate further, I put together a script and scheduled it to run every 30 mins that this user is logged on. It simply does a time stamp, then executes "net use z: /d", logging whatever happens. Idea was that this would indicate when this behaviour was occurring, and get rid of the Z: mapping.
The results however, are a little confounding. For days, I just had entries indicating that no Z: was mapped, as expected. Then, one afternoon, the script logged: "There are open files and/or incomplete directory searches pending on the connection to Z:. Is it OK to continue disconnecting and force them closed? (Y/N) [N]:" I understand the error message, but it only deepens the mystery. No idea what process is doing this, or why.
Does anyone know of a method where I can log:
1. What process is creating the spurious mapping?
2. What files are being accessed via the Z: share?