Tracking User Movements On A Network

[oHUTCHYo]

I need to be careful what I say, but suffice to say we have redudancies within our company. Now, pure coincidence or foul-play, a few GB of specific folders have been deleted from a shared network drive which contain costings and sales data.

I fear foul play is at hand, maybe not in the sense of deleting on purpose, but maybe a user trying to copy the files to take with them, but moving them by mistake.

The files are safely backed up, so no harm done. However, is it possible to identify which particular user is guilty?

Most users are on WinXP / Win7.

 

[Luke]

Are you asking if you can find out, or the IT department can?
(or are you in the IT department?)

 

[Dugganator]

Depends if they use auditing software or not. If they are its very likely they know who has done what. Without it it makes the job harder but its still very possible to find out.

Start looking for a new job you bad person

 

[oHUTCHYo]

haha, I'm the Sales Manager working with the IT department to resolve it. An IT department who dont think its possible to trace. I dont agree, there must be a way surely.

We dont have any 3rd party software running as far as I know.

 

[Burnsy2023]

haha, I'm the Sales Manager working with the IT department to resolve it. An IT department who dont think its possible to trace. I dont agree, there must be a way surely.

We dont have any 3rd party software running as far as I know.

If you don't have any file auditing on, and it appears you probably don't, then no, there will not be a way of tracing it.

I find it amusing that a sales manager thinks he knows better than the professionals though.

 

[[TW]Fox]

Yes burnsey because every IT team is staffed by pros who know everything and its never a bunch of chancers who think they do is it.

 

[oddjob62]

Assuming you are using windows as your file servers, auditing is in built but not enabled by default.

 

[Steve2000]

Yes burnsey because every IT team is staffed by pros who know everything and its never a bunch of chancers who think they do is it.

I agree. Most of our IT department certainly falls into the latter.

 

[Burnsy2023]

Assuming you are using windows as your file servers, auditing is in built but not enabled by default.

File auditing also has some pretty major resource requirements as well.

 

[Burnsy2023]

Yes burnsey because every IT team is staffed by pros who know everything and its never a bunch of chancers who think they do is it.

They usually know more than someone in a totally unrelated department.

 

[[TW]Fox]

Usually but not always.

I'm sure most people here who dont work in IT but remain interested in it have numerous tails of frustration about things IT have been unable to resolve despite the solution being painstakingly obvious.

 

[Burnsy2023]

I'm sure most people here who dont work in IT but remain interested in it have numerous tails of frustration about things IT have been unable to resolve despite the solution being painstakingly obvious.

I'm sure a lot of IT guys also know the woes of a manager who knows nothing about IT, thinks they do, and tries to tell you how to do your job.

 

[matt_fsr]

I'm sure a lot of IT guys also know the woes of a manager who knows nothing about IT, thinks they do, and tries to tell you how to do your job.

Or in this case, more likely the woes of a manager who is in the midst of getting rid of staff, yet hasnt got the brainpower to work out that temporary file auditing might be a good idea during this time

 

[Abraham]

I'm sure a lot of IT guys also know the woes of a manager who knows nothing about IT, thinks they do, and tries to tell you how to do your job.

Usually thinking that problems on a stand alone system at home directly relate to the problem they're currently experiencing on their AD'd, Domained, Exchanged workstation.

 

[oHUTCHYo]

In response to me being a know it all, I studied A+, N+ and MCSA so I like to think I have a rough idea, as well as the personal interest I have in computing.

Reference file auditing - deletion rights of all users barring managers were revoked, hence the suspicion of files being moved.

Not sure whats with the elitism or crticism in this post mind you - seems very aggressive considering a very simple and honest question.

 

[Raumarik]

Reference file auditing - deletion rights of all users barring managers were revoked, hence the suspicion of files being moved.

You did say they were deleted and not moved, what has changed?

 

[Priapus]

I have been down this road before, too. From what I could find out - unless file auditing software was/ is on the server - you're not going to have much luck in finding the person responsible for this.

 

[Dj_Jestar]

You did say they were deleted and not moved, what has changed?

No, he states they are no longer in the directory - presumed deleted but with a chance they were just moved by someone wanting to take the data with them when they get the boot. Anyway I thought you can't move stuff if you can't delete.

 

[Priapus]

Well if they have read/write access - they could move it. But if they only have read access - then moving/deleting the data is not possible.

 

[Luke]

If they don't have delete permissions then they can't move files as the originals cannot be removed.