none
What users have accessed a certain file?

    Question

  • Is there a way to tell what user has accessed a shared file?  I'm running Small Business Server 2003 with active directory.  I would like to know what users have opened a certian file?  Is this possible?
    Tuesday, September 22, 2009 9:23 PM

Answers

  • Hello BaconBit,

     

    To track the past file access information, we can configure audit on the corresponding files and folders on the file server. The thing we can try is to audit folders and files on the file server.

     

    To setup Audit, we can perform the following steps:

     

    1. Log on to file server that share the network folders with an account that has Administrator rights.


    2. Click Start, point to settings, and then click Control Panel.


    3. Double-click Administrative Tools.


    4. Double-click Local Security Policy to start the Local Security Settings snap-in in Microsoft Management Console (MMC).


    5. Double-click Local Policies to expand it, and then double-click Audit Policy.


    6. In the right pane, enable to audit Object Access. Select to audit Success and/or Fail attempts.


    7. Refresh the group policy by running following command.

    gpupdate /force   (Windows 2003)

     

    8. Right click the Folder, select properties, go to Security tab, click Advanced.


    9. Select Audit tab, click Add, select Everyone and enable the option to audit "Traverse folder / execute file", "List folder / read data", "Read attributes" and "Read extended attributes" with Successful and Failed. Make sure that the settings are apply onto "This folder, sub folder and files". You may also enable other operations that you want to monitor.

     

    For more information on enabling file audit, please refer to following KB articles.

     

    How to audit user access of files, folders, and printers in Windows XP

    http://support.microsoft.com/kb/310399

     

    How To Set, View, Change, or Remove Auditing for a File or Folder in Windows 2000

    http://support.microsoft.com/kb/301640

     

    Apply or modify auditing policy settings for a local file or folder

    http://technet.microsoft.com/en-us/library/cc784387.aspx

     

    HOW TO: Enable Local Security Auditing in Windows 2000  

    http://support.microsoft.com/?id=248260


    We can also use following 2 methods to track the current file access information.

     

    Method1. GUI mode: Computer Managements\Shared Folders\Sessions

     

    We can view a list of files that are opened by remote users and close one or all of the open files.

     

    Please check this guide.

     

    Shared Folders overview

    http://technet.microsoft.com/en-us/library/cc738877(WS.10).aspx

     

    Method2. Command line mode: Net Session

     

    We may also use "net session" command to list active sessions which shows what users have opened a file.

     

    Net Session

    http://technet.microsoft.com/en-us/library/bb490711.aspx

     

    Hope this can be helpful.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by David Shen Friday, September 25, 2009 2:32 AM
    • Marked as answer by David Shen Tuesday, September 29, 2009 2:48 AM
    Wednesday, September 23, 2009 2:48 AM

All replies

  • Hello BaconBit,

     

    To track the past file access information, we can configure audit on the corresponding files and folders on the file server. The thing we can try is to audit folders and files on the file server.

     

    To setup Audit, we can perform the following steps:

     

    1. Log on to file server that share the network folders with an account that has Administrator rights.


    2. Click Start, point to settings, and then click Control Panel.


    3. Double-click Administrative Tools.


    4. Double-click Local Security Policy to start the Local Security Settings snap-in in Microsoft Management Console (MMC).


    5. Double-click Local Policies to expand it, and then double-click Audit Policy.


    6. In the right pane, enable to audit Object Access. Select to audit Success and/or Fail attempts.


    7. Refresh the group policy by running following command.

    gpupdate /force   (Windows 2003)

     

    8. Right click the Folder, select properties, go to Security tab, click Advanced.


    9. Select Audit tab, click Add, select Everyone and enable the option to audit "Traverse folder / execute file", "List folder / read data", "Read attributes" and "Read extended attributes" with Successful and Failed. Make sure that the settings are apply onto "This folder, sub folder and files". You may also enable other operations that you want to monitor.

     

    For more information on enabling file audit, please refer to following KB articles.

     

    How to audit user access of files, folders, and printers in Windows XP

    http://support.microsoft.com/kb/310399

     

    How To Set, View, Change, or Remove Auditing for a File or Folder in Windows 2000

    http://support.microsoft.com/kb/301640

     

    Apply or modify auditing policy settings for a local file or folder

    http://technet.microsoft.com/en-us/library/cc784387.aspx

     

    HOW TO: Enable Local Security Auditing in Windows 2000  

    http://support.microsoft.com/?id=248260


    We can also use following 2 methods to track the current file access information.

     

    Method1. GUI mode: Computer Managements\Shared Folders\Sessions

     

    We can view a list of files that are opened by remote users and close one or all of the open files.

     

    Please check this guide.

     

    Shared Folders overview

    http://technet.microsoft.com/en-us/library/cc738877(WS.10).aspx

     

    Method2. Command line mode: Net Session

     

    We may also use "net session" command to list active sessions which shows what users have opened a file.

     

    Net Session

    http://technet.microsoft.com/en-us/library/bb490711.aspx

     

    Hope this can be helpful.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by David Shen Friday, September 25, 2009 2:32 AM
    • Marked as answer by David Shen Tuesday, September 29, 2009 2:48 AM
    Wednesday, September 23, 2009 2:48 AM
  • Hi,

    We want to see if the information provided was helpful. Please let us know if you have any additional questions or concerns. Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, September 28, 2009 3:33 AM
  • Hello BaconBit!

    You might want to give a look to FileAudit.

    FileAudit monitors, archives and reports on accesses (or access attempts) to sensitive data stored on Microsoft Windows systems.

    With a simple right click in Windows explorer or from the console, FileAudit instantly gives an error ridden and comprehensive list of:

    - read/write accesses
    - appropriation attempts (accepted or denied)
    - permission modification attempts (accepted or denied)

    each record detailing:

    - the user
    - the domain
    - the date and time of connection and disconnection

    for:

    - a file
    - a selection of files
    - a folder and subfolders
    - a selection of folders and subfolders

    Best,


    François Amigorena President & CEO IS Decisions (Security Software) http://www.isdecisions.com
    Friday, September 17, 2010 9:19 AM