We help IT Professionals succeed at work.

Find source of file copy from

Have a 2008 R2 server that we are trying to move away from, however there seems to be some obscure process or script either coming from that server or some other server that is writing to a share on this server.  Its same time every day. Can't find any task or script on that machine that is doing it so I'm wondering if this is coming from another server. Is there something that can tell me or something i can leave running and log it?
Comment
Watch Question

Senior Systems Admin
Top Expert 2010
Commented:

Yes, it's possible. You have to turn on file auditing on the share and file folder that the data is being written to. This is where it gets tricky because the file auditing system is very difficult to look through. https://www.netwrix.com/how_to_detect_who_tried_to_change_file_or_folder_on_your_file_servers.html has some info that can help. The left column gives the setup required for auditing changes. Change audit failed to audit success (or succeeded, can't remember which works, so try both if you get no results). You can try out their file server auditing software to do it, but it's a little pricey for one time use. The audit entries should show you where the file writes are coming from and which account is doing it. 

Brian BEE Topic Advisor, Independant Technology Professional

Commented:

If that doesn't work, send out a notice that shares are being disabled, change the folder permissions after a specified amount of time and see who complains. :-)

Adam BrownSenior Systems Admin
Top Expert 2010

Commented:

If that doesn't work, send out a notice that shares are being disabled, change the folder permissions after a specified amount of time and see who complains. :-)

Scorched Earth Change Management. Easy, fast, with the added benefit that it ticks off the users. 

Author

Commented:
Don’t think that would work as I think it’s a script or application somewhere doing it
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Is the server still in use as fle server for other  tasks? If yes, it will get difficult, if no all you need to do is log network access (e.g. by runnng net session and net file around the file creation time).