Server 2003 - Identify user that deleted a file from share?

Discussion in 'Networking & Security' started by dan__wright, Oct 3, 2007.

  1. dan__wright

    dan__wright [H]Lite

    Messages:
    91
    Joined:
    May 27, 2007
    One of the files on one of our shares disappeared, the thing is this file was tnsnames.ora meaning none of our users could initiate a new connection to any of our databases.

    the permissions on this area are:
    users = read
    'uk admins' = full
    system = full

    there are 4 of us in the uk admins group (including myself) and none of us moved / deleted this file, i had it back in minutes but thats not the problem, its how the file disappeared!

    has anyone see any strange issues like this before? its got to be one of the heaviest accessed files on our network as when ever a pc wants to access an oracle database it looks it up from the file (its a bit like DNS for databases).

    is there any logs or anyway to see if someone deleted it or if anything happened to it in order for it to vanish?

    server is running Server 2003 Standard SP1, is a DC and GC.
    runs DNS, DHCP, WINS, file and print sharing.
    AV is symantec AV 10 corp, nothing in quarantine or log to do with this.

    system runs on a raid 5 array with no errors from the array so i doubt its something at the disc level.

    TIA
    Dan
     
  2. Demon10000

    Demon10000 [H]ardness Supreme

    Messages:
    4,502
    Joined:
    Aug 20, 2006
    You know, I've deleted files on accident before... it happens. Someone in your admins group had to do it, as even with full share permissions, read would restrict your users to only being able to read the file.

    Of course, someone could have executed the delete command as system... but it's really more likely that someone deleted it on accident.

    Without auditing enabled, there really isn't a way to find out who deleted the files. It's times like this when I miss the old Novell servers where you could fire up a utility and undelete a file and identify the user that deleted it.
     
  3. FalseGod

    FalseGod Limp Gawd

    Messages:
    479
    Joined:
    Jun 7, 2004
    I'd go through the system logs and see who logged in as close to when you think the file was deleted as possible. Unless they went in through a share or the administrative share, then you should be able to at least get an idea of who it might have been. If there was someone logged in at the time of the outage, then you might have your culprit.
     
  4. SpaceHonkey

    SpaceHonkey Gawd

    Messages:
    984
    Joined:
    Jan 25, 2007
  5. dan__wright

    dan__wright [H]Lite

    Messages:
    91
    Joined:
    May 27, 2007
    i know it wasn't deleted locally from the machine, its always locked as a specific account and there were no logins for that account in the security log,

    it will have been via the share or the d$ admin share, we have tripwire but because it was deleted and put back so quickly it wont have picked it up.

    i will have a look at the AD audit stuff, we already audit all AD changes but i didnt know you could do it for the File system too, will be useful for future and if we implement it, it will be an acceptable resolution if we are unable to trace what happened.

    Thanks
    Dan