Auditing Object Access

[Guest JohnB]

This is kind of an usual situation; approximately 50 users whose primary

use of the network is to RDP into a server to use a company application. It

is a Windows 2003 server that was setup as a DC. The clients are Vista and

XP, all Home edition. So none of the computers are joined to the domain (I

know, unusual).

 

The server is backed up at night by Scheduler using xcopy in a batch file.

Everything seems to work fine with the backup.

 

But, almost every day, files and sub-folders turn up missing from one

particular folder on the server. They are primarily Word and Excel files

(all accessed locally using RDP).

 

I redirect the output of the xcopy commands to a text file. Today when

someone reported files missing from the folder, I looked at that backup log

and could tell the number of sub-folders was down considerably from the day

before.

 

My guess is this could be one of two things; either the xcopy command is

somehow *loosing* files/folders or, someone is accidentally deleting or

moving files during the day. I have never seen folders come up missing

after an xcopy. So am leaning towards the problem being with a user

moving/deleting them. I would like to use auditing to find out if a user is

responsible.

 

My question is: how do I use Auditing for Object Access if none of the

computers are joined to the domain?

If they aren't, I can't configure the GP.

 

TIA

[Guest Meinolf Weber]

Re: Auditing Object Access

 

Hello JohnB,

 

If the users have a domain user account, which i assume, because they use

RDP to connect to the server, then open the folder properties where the data

is stored, go to Security Tab and enable auditing on the folder, choose the

user accounts or better create a group, move all user accounts to the group

and add the group for auditing. Now you can see in the event log what the

users have done.

 

BTW, using a DC for normal user logons as a Terminal server is a really bad

decision from the point of security. A DC should always do it's main work

and not be accessed by normal users. For this kind of application server/terminal

server use a member server.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> This is kind of an usual situation; approximately 50 users whose

> primary use of the network is to RDP into a server to use a company

> application. It is a Windows 2003 server that was setup as a DC. The

> clients are Vista and XP, all Home edition. So none of the computers

> are joined to the domain (I know, unusual).

>

> The server is backed up at night by Scheduler using xcopy in a batch

> file. Everything seems to work fine with the backup.

>

> But, almost every day, files and sub-folders turn up missing from one

> particular folder on the server. They are primarily Word and Excel

> files (all accessed locally using RDP).

>

> I redirect the output of the xcopy commands to a text file. Today

> when someone reported files missing from the folder, I looked at that

> backup log and could tell the number of sub-folders was down

> considerably from the day before.

>

> My guess is this could be one of two things; either the xcopy command

> is somehow *loosing* files/folders or, someone is accidentally

> deleting or moving files during the day. I have never seen folders

> come up missing after an xcopy. So am leaning towards the problem

> being with a user moving/deleting them. I would like to use auditing

> to find out if a user is responsible.

>

> My question is: how do I use Auditing for Object Access if none of

> the

> computers are joined to the domain?

> If they aren't, I can't configure the GP.

> TIA

>

[Guest JohnB]

Re: Auditing Object Access

 

Oh ok... I thought I had to also configure a GP.

 

I agree, the way the network is setup isn't ideal. But I just started

working here, and management here is resistant to change. Maybe some day.

By the way; can Vista Home and XP Home computers join a domain?

 

 

 

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

news:ff16fb66a5e278cac6f589d00a40@msnews.microsoft.com...

> Hello JohnB,

>

> If the users have a domain user account, which i assume, because they use

> RDP to connect to the server, then open the folder properties where the

> data is stored, go to Security Tab and enable auditing on the folder,

> choose the user accounts or better create a group, move all user accounts

> to the group and add the group for auditing. Now you can see in the event

> log what the users have done.

>

> BTW, using a DC for normal user logons as a Terminal server is a really

> bad decision from the point of security. A DC should always do it's main

> work and not be accessed by normal users. For this kind of application

> server/terminal server use a member server.

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and

> confers no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>

>> This is kind of an usual situation; approximately 50 users whose

>> primary use of the network is to RDP into a server to use a company

>> application. It is a Windows 2003 server that was setup as a DC. The

>> clients are Vista and XP, all Home edition. So none of the computers

>> are joined to the domain (I know, unusual).

>>

>> The server is backed up at night by Scheduler using xcopy in a batch

>> file. Everything seems to work fine with the backup.

>>

>> But, almost every day, files and sub-folders turn up missing from one

>> particular folder on the server. They are primarily Word and Excel

>> files (all accessed locally using RDP).

>>

>> I redirect the output of the xcopy commands to a text file. Today

>> when someone reported files missing from the folder, I looked at that

>> backup log and could tell the number of sub-folders was down

>> considerably from the day before.

>>

>> My guess is this could be one of two things; either the xcopy command

>> is somehow *loosing* files/folders or, someone is accidentally

>> deleting or moving files during the day. I have never seen folders

>> come up missing after an xcopy. So am leaning towards the problem

>> being with a user moving/deleting them. I would like to use auditing

>> to find out if a user is responsible.

>>

>> My question is: how do I use Auditing for Object Access if none of

>> the

>> computers are joined to the domain?

>> If they aren't, I can't configure the GP.

>> TIA

>>

>

>

[Guest Meinolf Weber]

Re: Auditing Object Access

 

Hello JohnB,

 

Vista versions that can join a domain:

Vista Business

Vista Business N

Vista Enterprise

Vista Ultimate

 

XP versions that can join a domain:

XP Professional

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Oh ok... I thought I had to also configure a GP.

>

> I agree, the way the network is setup isn't ideal. But I just started

> working here, and management here is resistant to change. Maybe some

> day. By the way; can Vista Home and XP Home computers join a domain?

>

> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

> news:ff16fb66a5e278cac6f589d00a40@msnews.microsoft.com...

>

>> Hello JohnB,

>>

>> If the users have a domain user account, which i assume, because they

>> use RDP to connect to the server, then open the folder properties

>> where the data is stored, go to Security Tab and enable auditing on

>> the folder, choose the user accounts or better create a group, move

>> all user accounts to the group and add the group for auditing. Now

>> you can see in the event log what the users have done.

>>

>> BTW, using a DC for normal user logons as a Terminal server is a

>> really bad decision from the point of security. A DC should always do

>> it's main work and not be accessed by normal users. For this kind of

>> application server/terminal server use a member server.

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers no rights.

>> ** Please do NOT email, only reply to Newsgroups

>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>> This is kind of an usual situation; approximately 50 users whose

>>> primary use of the network is to RDP into a server to use a company

>>> application. It is a Windows 2003 server that was setup as a DC.

>>> The clients are Vista and XP, all Home edition. So none of the

>>> computers are joined to the domain (I know, unusual).

>>>

>>> The server is backed up at night by Scheduler using xcopy in a batch

>>> file. Everything seems to work fine with the backup.

>>>

>>> But, almost every day, files and sub-folders turn up missing from

>>> one particular folder on the server. They are primarily Word and

>>> Excel files (all accessed locally using RDP).

>>>

>>> I redirect the output of the xcopy commands to a text file. Today

>>> when someone reported files missing from the folder, I looked at

>>> that backup log and could tell the number of sub-folders was down

>>> considerably from the day before.

>>>

>>> My guess is this could be one of two things; either the xcopy

>>> command is somehow *loosing* files/folders or, someone is

>>> accidentally deleting or moving files during the day. I have never

>>> seen folders come up missing after an xcopy. So am leaning towards

>>> the problem being with a user moving/deleting them. I would like to

>>> use auditing to find out if a user is responsible.

>>>

>>> My question is: how do I use Auditing for Object Access if none of

>>> the

>>> computers are joined to the domain?

>>> If they aren't, I can't configure the GP.

>>> TIA