General discussion

Locked

Who saved that file?

By pbtoms ·
I need to find out who saved a file on our server. Is this possible? In other words, there are some files that shouldn't be there, and I need to know who put them there. Or which computer they used to save them would be fine, too. We have a Win2k server, clients are Win98 and XP. I'm sure the server 'knows' where the file came from, I just can't figure out how to get it to tell me! Thanks.

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Who saved that file?

If this is an Active Directory domain, you can indeed monitor user activity.

There are nine security categories which can be configured to generate events depending upon your auditing requirements:

Audit account logon events ? this category will generate a success or failure events whenever a domain controller receives a logon request.
Audit account management - this category will generate a success or failure events whenever a user account or group is created, renamed, changed or deleted. This includes the creation of events when passwords are changed, and user accounts are enabled or disabled.
Audit Directory Service Access - this category will generate a success or failure events whenever an Active Directory object is accessed/changed. This category will generate events in another event log which is only present on Windows 2000 Domain Controllers.
Audit Logon events ? This category is separate from the "Audit Account logon events". This category will generate a success or failure events when a user logs in or out of the system. Events are also generated when a user connects or disconnects from a system via either an interactive type of logon, or via a network type of logon.
Audit object access - This category will generate a success or failure events when a user specified object ? file, directory, registry key, printer - is accessed or changed.
Audit Policy Change - This category will generate a success or failure events when a user makes high-level changes to the security policies. These changes may include anything from changing user rights and privileges to changing audit policies.
Audit Privilege Use - This category will generate a success or failure events whenever a user makes use of certain administrative privileges which you may have assigned to that user.
Audit Process Tracking - This category will generate a success or failure event whenever a process is launched, a handle to an object is duplicated, objects are accessed indirectly

Collapse -

by BFilmFan In reply to

The reply is limited to 2000 characters, so here is the rest:

Audit Process Tracking - This category will generate a success or failure event whenever a process is launched, a handle to an object is duplicated, objects are accessed indirectly and also whenever a process exits.
Audit System Events - This category will generate a success or failure event whenever an event which effects the entire system occurs. Such events include having the system shut down or restarted. A system event will also be generated when the security log fills up.

The Windows 2000 Security Operations Guide is available here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=f0b7b4ee-201a-4b40-a0d2-cdd9775aeff8&displaylang=en

And for Exchange 2000 here:
http://www.microsoft.com/technet/security/prodtech/mailexch/opsguide/default.mspx

If you do plan to monitor security events extensively, I highly recommend that you plan to purchase a third-party event monitoring software, as the security log will quickly overfill and be worthless in an audit.

Collapse -

by pbtoms In reply to

Unfortunately, that doesn't help me at this point, because we were not auditing (with the number of users and number of files we work with, the logs get HUGE if we do even basic auditing). I would have to audit every user for every file creation. Although, if I hadn't found a solution, I guess turning it on for a day or so would probably show me what I needed.
I ended up turning on the "owner" field in the details view of Windows Explorer, and that showed me who created the file. Thanks for the help, though!

Collapse -

by pbtoms In reply to Who saved that file?

This question was closed by the author

Back to Windows Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums