John Caspary
asked on
Detecting if Users are accessing folders on our server's shares
I’d like to do a way to detect if users are still accessing certain large folders on my windows 2012 r2 files server. Users claim they still need them, but I suspect they could be archived due to non-use.
The automated programs that detect folder use are too expensive. The modified date of the folder doesn’t work because they might be reading out of the folder only. Windows event logging results are cryptic to me and large.
For now, I've put a script on a dummy folder that, when opened, will log the click and open the folder they want. Something less clunky is better.
Setup questions are in the attached .txt fileSetup.txt
A way to find out if certain folders being opened would solve this problem. Any ideas?
The automated programs that detect folder use are too expensive. The modified date of the folder doesn’t work because they might be reading out of the folder only. Windows event logging results are cryptic to me and large.
For now, I've put a script on a dummy folder that, when opened, will log the click and open the folder they want. Something less clunky is better.
Setup questions are in the attached .txt fileSetup.txt
A way to find out if certain folders being opened would solve this problem. Any ideas?
NVIT
Are you open to using utilities? Examples at https://www.raymond.cc/blog/3-portable-tools-monitor-files-folders-changes/
ASKER
I'm open to any utility that will tell me if they open a folder. Tracking if they change something is easy. It's those that read the data only. I don't see a suggested utility that will accomplish this.
Do you know of another one that does?
Do you know of another one that does?
ASKER
Thanks so much for your help!
I see one utility that will track the "Accessed Date".
I've tried this by opening old folders on my network to see if the date updates. It does not unfortunately.
A utility that tracks the folders/files that are accessed (modified or not) and logs it would be the answer.
Can you find something like this?
I see one utility that will track the "Accessed Date".
I've tried this by opening old folders on my network to see if the date updates. It does not unfortunately.
A utility that tracks the folders/files that are accessed (modified or not) and logs it would be the answer.
Can you find something like this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's true that wading through the event log can eventually find folders that were opened. It's a nightmare though. I'll be watching these folders for months to see if certain folders are ever accessed. Going through each log entry is not realistic.
I've got a call into Lepide to see what they charge.
I'm not seeing another way. Are you?
I've got a call into Lepide to see what they charge.
I'm not seeing another way. Are you?
Windows can do this out of the box. Lepide's product makes it easier.
Your original question is ...detect if users are still accessing certain large folders
I presume you'd just audit those folder(s) per Step 2. Are they a lot to add?
Then, you could run a scheduled script to extract the relevant events 4656 and 4663 to a file. Then browse the file as desired.
Your original question is ...detect if users are still accessing certain large folders
I presume you'd just audit those folder(s) per Step 2. Are they a lot to add?
Then, you could run a scheduled script to extract the relevant events 4656 and 4663 to a file. Then browse the file as desired.
ASKER
This is starting to get good! Thanks again!
Yes, there are a lot of folders. I don't mind adding them for auditing. It's getting to the auditing logs.
Please tell me more about a scheduled script to extract the events. If I can get that into a CSV or any form that will go into an SQL DB, I can get what I want. I just need Folder Name, User who opened it and Date of event.
Could this export be possible? Could you direct me to the scripts that do this?
Yes, there are a lot of folders. I don't mind adding them for auditing. It's getting to the auditing logs.
Please tell me more about a scheduled script to extract the events. If I can get that into a CSV or any form that will go into an SQL DB, I can get what I want. I just need Folder Name, User who opened it and Date of event.
Could this export be possible? Could you direct me to the scripts that do this?
Here's some powershell code to get the events
1. Start powershell
I presume you don't have auditing setup yet so... Just to see how it works, try this example, which gets events 2 and 4:
To return date range and send results to file c:\Events.csv:
To return events for past 60 days send results to file c:\Events_60.csv:
Tip: Change $DaysOut to desired number
After you setup auditing... Here's the only additional info you need to return the auditing events:
Can you figure it out?
1. Start powershell
I presume you don't have auditing setup yet so... Just to see how it works, try this example, which gets events 2 and 4:
$a=Get-WinEvent -FilterHashtable @{logname='setup'; id=2,4} -MaxEvents 20
$a
ProviderName: Microsoft-Windows-Servicing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
7/10/2019 2:08:20 AM 4 Information A reboot is necessary before package KB4507004 can be changed to...
7/10/2019 2:07:52 AM 4 Information A reboot is necessary before package KB4507449 can be changed to...
6/12/2019 2:26:20 AM 2 Information Package KB4503292 was successfully changed to the Installed state.
6/12/2019 2:01:21 AM 4 Information A reboot is necessary before package KB4503292 can be changed to...
5/20/2019 9:37:48 AM 2 Information Package KB4499175 was successfully changed to the Installed state.
5/20/2019 9:09:51 AM 4 Information A reboot is necessary before package KB4499175 can be changed to...To return date range and send results to file c:\Events.csv:
Get-WinEvent `
@{
logname='setup';
id=2,4;
StartTime = "3/12/19 23:59:00";
EndTime = "6/12/19 23:59:00";
} |
Export-Csv c:\Events.csv -NoTypeInformationTo return events for past 60 days send results to file c:\Events_60.csv:
Tip: Change $DaysOut to desired number
$DaysOut = 60
$EventID = 2,4
$LogName = 'setup'
$EndTime = [datetime]::Today
$StartTime = $endtime.AddDays(-$DaysOut)
$FName = ".\Events_" + $DaysOut + ".csv"
Get-WinEvent `
@{
logname = $LogName ;
id = $EventID ;
StartTime = $StartTime;
EndTime = $EndTime;
} |
Export-Csv $FName -NoTypeInformationAfter you setup auditing... Here's the only additional info you need to return the auditing events:
logname = security'
id = 4656,4663Can you figure it out?
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Accept: 'NVIT' (https:#a42918058)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Accept: 'NVIT' (https:#a42918058)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer