Auditing Object Access

  • Thread starter Thread starter JohnB
  • Start date Start date
J

JohnB

Guest
This is kind of an usual situation; approximately 50 users whose primary
use of the network is to RDP into a server to use a company application. It
is a Windows 2003 server that was setup as a DC. The clients are Vista and
XP, all Home edition. So none of the computers are joined to the domain (I
know, unusual).

The server is backed up at night by Scheduler using xcopy in a batch file.
Everything seems to work fine with the backup.

But, almost every day, files and sub-folders turn up missing from one
particular folder on the server. They are primarily Word and Excel files
(all accessed locally using RDP).

I redirect the output of the xcopy commands to a text file. Today when
someone reported files missing from the folder, I looked at that backup log
and could tell the number of sub-folders was down considerably from the day
before.

My guess is this could be one of two things; either the xcopy command is
somehow *loosing* files/folders or, someone is accidentally deleting or
moving files during the day. I have never seen folders come up missing
after an xcopy. So am leaning towards the problem being with a user
moving/deleting them. I would like to use auditing to find out if a user is
responsible.

My question is: how do I use Auditing for Object Access if none of the
computers are joined to the domain?
If they aren't, I can't configure the GP.

TIA
 
Re: Auditing Object Access

Hello JohnB,

If the users have a domain user account, which i assume, because they use
RDP to connect to the server, then open the folder properties where the data
is stored, go to Security Tab and enable auditing on the folder, choose the
user accounts or better create a group, move all user accounts to the group
and add the group for auditing. Now you can see in the event log what the
users have done.

BTW, using a DC for normal user logons as a Terminal server is a really bad
decision from the point of security. A DC should always do it's main work
and not be accessed by normal users. For this kind of application server/terminal
server use a member server.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> This is kind of an usual situation; approximately 50 users whose
> primary use of the network is to RDP into a server to use a company
> application. It is a Windows 2003 server that was setup as a DC. The
> clients are Vista and XP, all Home edition. So none of the computers
> are joined to the domain (I know, unusual).
>
> The server is backed up at night by Scheduler using xcopy in a batch
> file. Everything seems to work fine with the backup.
>
> But, almost every day, files and sub-folders turn up missing from one
> particular folder on the server. They are primarily Word and Excel
> files (all accessed locally using RDP).
>
> I redirect the output of the xcopy commands to a text file. Today
> when someone reported files missing from the folder, I looked at that
> backup log and could tell the number of sub-folders was down
> considerably from the day before.
>
> My guess is this could be one of two things; either the xcopy command
> is somehow *loosing* files/folders or, someone is accidentally
> deleting or moving files during the day. I have never seen folders
> come up missing after an xcopy. So am leaning towards the problem
> being with a user moving/deleting them. I would like to use auditing
> to find out if a user is responsible.
>
> My question is: how do I use Auditing for Object Access if none of
> the
> computers are joined to the domain?
> If they aren't, I can't configure the GP.
> TIA
>
 
Re: Auditing Object Access

Oh ok... I thought I had to also configure a GP.

I agree, the way the network is setup isn't ideal. But I just started
working here, and management here is resistant to change. Maybe some day.
By the way; can Vista Home and XP Home computers join a domain?



"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66a5e278cac6f589d00a40@msnews.microsoft.com...
> Hello JohnB,
>
> If the users have a domain user account, which i assume, because they use
> RDP to connect to the server, then open the folder properties where the
> data is stored, go to Security Tab and enable auditing on the folder,
> choose the user accounts or better create a group, move all user accounts
> to the group and add the group for auditing. Now you can see in the event
> log what the users have done.
>
> BTW, using a DC for normal user logons as a Terminal server is a really
> bad decision from the point of security. A DC should always do it's main
> work and not be accessed by normal users. For this kind of application
> server/terminal server use a member server.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> This is kind of an usual situation; approximately 50 users whose
>> primary use of the network is to RDP into a server to use a company
>> application. It is a Windows 2003 server that was setup as a DC. The
>> clients are Vista and XP, all Home edition. So none of the computers
>> are joined to the domain (I know, unusual).
>>
>> The server is backed up at night by Scheduler using xcopy in a batch
>> file. Everything seems to work fine with the backup.
>>
>> But, almost every day, files and sub-folders turn up missing from one
>> particular folder on the server. They are primarily Word and Excel
>> files (all accessed locally using RDP).
>>
>> I redirect the output of the xcopy commands to a text file. Today
>> when someone reported files missing from the folder, I looked at that
>> backup log and could tell the number of sub-folders was down
>> considerably from the day before.
>>
>> My guess is this could be one of two things; either the xcopy command
>> is somehow *loosing* files/folders or, someone is accidentally
>> deleting or moving files during the day. I have never seen folders
>> come up missing after an xcopy. So am leaning towards the problem
>> being with a user moving/deleting them. I would like to use auditing
>> to find out if a user is responsible.
>>
>> My question is: how do I use Auditing for Object Access if none of
>> the
>> computers are joined to the domain?
>> If they aren't, I can't configure the GP.
>> TIA
>>
>
>
 
Re: Auditing Object Access

Hello JohnB,

Vista versions that can join a domain:
Vista Business
Vista Business N
Vista Enterprise
Vista Ultimate

XP versions that can join a domain:
XP Professional

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Oh ok... I thought I had to also configure a GP.
>
> I agree, the way the network is setup isn't ideal. But I just started
> working here, and management here is resistant to change. Maybe some
> day. By the way; can Vista Home and XP Home computers join a domain?
>
> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb66a5e278cac6f589d00a40@msnews.microsoft.com...
>
>> Hello JohnB,
>>
>> If the users have a domain user account, which i assume, because they
>> use RDP to connect to the server, then open the folder properties
>> where the data is stored, go to Security Tab and enable auditing on
>> the folder, choose the user accounts or better create a group, move
>> all user accounts to the group and add the group for auditing. Now
>> you can see in the event log what the users have done.
>>
>> BTW, using a DC for normal user logons as a Terminal server is a
>> really bad decision from the point of security. A DC should always do
>> it's main work and not be accessed by normal users. For this kind of
>> application server/terminal server use a member server.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> This is kind of an usual situation; approximately 50 users whose
>>> primary use of the network is to RDP into a server to use a company
>>> application. It is a Windows 2003 server that was setup as a DC.
>>> The clients are Vista and XP, all Home edition. So none of the
>>> computers are joined to the domain (I know, unusual).
>>>
>>> The server is backed up at night by Scheduler using xcopy in a batch
>>> file. Everything seems to work fine with the backup.
>>>
>>> But, almost every day, files and sub-folders turn up missing from
>>> one particular folder on the server. They are primarily Word and
>>> Excel files (all accessed locally using RDP).
>>>
>>> I redirect the output of the xcopy commands to a text file. Today
>>> when someone reported files missing from the folder, I looked at
>>> that backup log and could tell the number of sub-folders was down
>>> considerably from the day before.
>>>
>>> My guess is this could be one of two things; either the xcopy
>>> command is somehow *loosing* files/folders or, someone is
>>> accidentally deleting or moving files during the day. I have never
>>> seen folders come up missing after an xcopy. So am leaning towards
>>> the problem being with a user moving/deleting them. I would like to
>>> use auditing to find out if a user is responsible.
>>>
>>> My question is: how do I use Auditing for Object Access if none of
>>> the
>>> computers are joined to the domain?
>>> If they aren't, I can't configure the GP.
>>> TIA
 
Back
Top