Re: Disappearing .doc files
- From: "Andy H." <andrew.harlan@xxxxxxxxxxxxxxxx>
- Date: Thu, 30 Mar 2006 08:33:22 -0500
If I audit a group will that show individual user actions or only the group
ID everytime someone acts on an object?
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uvOMmz5UGHA.1868@xxxxxxxxxxxxxxxxxxxxxxx
Weird. You can audit those files to see if it shows a particular user
doing that. See the link below for more details and I would be sure to
just audit the two delete permissions to keep the number of object access
events down. You will also find it helpful to use Event Comb to search the
security log for specific events and text strings such as filename and
delete. If a user name is found he may have malicious software installed
on his computer or another user could be impersonating him and not be
doing it himself so keep that in mind before you fire or reprimand him
right away. As shown below Event IDs 560 and 567 will have pertinent
info.--- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640 --- note
that auditing of object access needs to be enabled on server first.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e
--- Event Comb available here.
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/smpgch04.mspx
--- excerpt copied below
Table 4.1: File Permission Change Events
Event IDs Occurrence Comments
560
Access granted to existing object
These events show where an object has successfully granted access to a
request, such as list, read, create, and delete. Check Primary Logon ID,
Client User Name, and Primary User Name fields to detect unauthorized
attempts to change file permissions. Check Accesses field to identify the
operation type. This event only shows that access was requested or
granted-it does not mean that the access took place. The acting user is
the Client User (if present); otherwise it is the Primary User.
567
A permission associated with a handle used
This event occurs on the first instance of an access type (list, read,
create, and so on) to an object. To correlate with event 560, compare the
Handle ID fields of the two events.
"Andy H." <andrew.harlan@xxxxxxxxxxxxxxxx> wrote in message
news:%23LNS0v2UGHA.4248@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
We have a Windows 2003 server with a share setup for users to access and
store documents. In the past few days we noticed word documents
disappearing from various folders within this share. When we restore
these documents from tape to these directories they remain for a couple
minutes and then poof they all disappear. Only .doc files are gone. If
we move these files to another share on the same server they remain.
When we took away delete access from the users group the files remain.
However when those permissions are reinstated the files disappear. There
is no evidence in event logs. Any ideas on how to track these
occurences?
.
- Follow-Ups:
- Re: Disappearing .doc files
- From: Steven L Umbach
- Re: Disappearing .doc files
- From: Roger Abell [MVP]
- Re: Disappearing .doc files
- References:
- Disappearing .doc files
- From: Andy H.
- Re: Disappearing .doc files
- From: Steven L Umbach
- Disappearing .doc files
- Prev by Date: Re: Disappearing .doc files
- Next by Date: Re: SAMR Interface Calls and Active Directory
- Previous by thread: Re: Disappearing .doc files
- Next by thread: Re: Disappearing .doc files
- Index(es):
Relevant Pages
|
