Jump to content

Missing files/folders

Guest Grainne

By Guest Grainne
in Windows NT Server

 Share

Recommended Posts

Guest Grainne

Guest Grainne

Posted
Posted

We have a customer that uses terminal services with small business server

2003. Frequently they come to us with a recurring issue wherebey

folders/files have disappeared, when they search for them, they are found in

a different location. They have asked there users and no-one is admitting to

moving them manually. However, one user said when he was working remotely

his screen flickered and the folder/files he was looking at had disappeared,

we found them the next day in a different location.

Normally, we would put this down to user error, however today we logged onto

their server remotely to move some folder/files for them that had been moved

to a different location last night (again, no-one admitting to moving them),

we copied the folder back to its original location and deleted the folder

that was in the wrong place. We then went into the recycle bin to delete

completely, the screen flickered and the folder/files had disappeared from

the recycle bin, we checked and they had been restored to the original

location as if we had selected "restore" when we hadn't!

We have enabled auditing object access on their main folders/files to help

us in the future, however this would only tell us who had moved them and

doesn't really offer a solution as to why it appears to be so sensitive. Has

anyone else experienced this issue and if so, are you aware of a solution?

 

Thanks

  • Replies 6
  • Created
  • Last Reply

Popular Days

Popular Days

Guest moncho

Guest moncho

Posted
Posted

Re: Missing files/folders

 

Grainne wrote:

> We have a customer that uses terminal services with small business server

> 2003. Frequently they come to us with a recurring issue wherebey

> folders/files have disappeared, when they search for them, they are found in

> a different location. They have asked there users and no-one is admitting to

> moving them manually. However, one user said when he was working remotely

> his screen flickered and the folder/files he was looking at had disappeared,

> we found them the next day in a different location.

> Normally, we would put this down to user error, however today we logged onto

> their server remotely to move some folder/files for them that had been moved

> to a different location last night (again, no-one admitting to moving them),

> we copied the folder back to its original location and deleted the folder

> that was in the wrong place. We then went into the recycle bin to delete

> completely, the screen flickered and the folder/files had disappeared from

> the recycle bin, we checked and they had been restored to the original

> location as if we had selected "restore" when we hadn't!

> We have enabled auditing object access on their main folders/files to help

> us in the future, however this would only tell us who had moved them and

> doesn't really offer a solution as to why it appears to be so sensitive. Has

> anyone else experienced this issue and if so, are you aware of a solution?

>

> Thanks

 

Just a thought, could it be that the system may be compromised?

The screen flicker makes me cautious.

 

Are the folders/files located on a shared drive or local to the TS server?

 

If it is a shared drive, I would lean towards an unknowledgeable

user moving them.

 

Are the same folders/files being moved or are they random?

 

When the folders/files are moved, are they moved to the same

place or is it random?

 

Just trying to find some type of pattern.

 

moncho

Guest Grainne

Guest Grainne

Posted
Posted

Re: Missing files/folders

 

Hi Moncho

 

Thanks for the response

 

The files/folders are located on a shared drive on a Small Business Server,

Terminal Service is a separate server.

 

It is unlikely a user is knowingly moving them because the same thing has

happened to myself whilst logged on remotely and I know that I didn't request

a restore from the recycle bin but that is what happened. As this has

happened a number of times, the customer has spoken to their users on a

number of occasions and due to the particular storage structure they have it

would be highly unlikely for a user to do this knowingly internally. It is a

possibility they have a malicious user but they are only a small company and

I would be very surprised.

 

Random files/folders are being moved and to random locations, somtimes (in

the last instance) a folder and 3 of its sub folders were moved but the

remaining 6 subfolders were still in place! In one of the sub folders that

was moved only 9 files in it were moved and the remaining files of that sub

folder were still in place (as if that sub folder was a copy rather than a

move!)

 

Its very strange! and sounds so ridiculous as I type it but that is what

happens!

Grainne

 

 

"moncho" wrote:

> Just a thought, could it be that the system may be compromised?

> The screen flicker makes me cautious.

>

> Are the folders/files located on a shared drive or local to the TS server?

>

> If it is a shared drive, I would lean towards an unknowledgeable

> user moving them.

>

> Are the same folders/files being moved or are they random?

>

> When the folders/files are moved, are they moved to the same

> place or is it random?

>

> Just trying to find some type of pattern.

>

> moncho

>

Guest moncho

Guest moncho

Posted
Posted

Re: Missing files/folders

 

Grainne wrote:

> Hi Moncho

>

> Thanks for the response

>

> The files/folders are located on a shared drive on a Small Business Server,

> Terminal Service is a separate server.

>

> It is unlikely a user is knowingly moving them because the same thing has

> happened to myself whilst logged on remotely and I know that I didn't request

> a restore from the recycle bin but that is what happened. As this has

> happened a number of times, the customer has spoken to their users on a

> number of occasions and due to the particular storage structure they have it

> would be highly unlikely for a user to do this knowingly internally. It is a

> possibility they have a malicious user but they are only a small company and

> I would be very surprised.

>

> Random files/folders are being moved and to random locations, somtimes (in

> the last instance) a folder and 3 of its sub folders were moved but the

> remaining 6 subfolders were still in place! In one of the sub folders that

> was moved only 9 files in it were moved and the remaining files of that sub

> folder were still in place (as if that sub folder was a copy rather than a

> move!)

>

> Its very strange! and sounds so ridiculous as I type it but that is what

> happens!

 

When you were in remotely, were you in the SBS server or the TS server?

 

Is this a 24X7 shop and if not, were folder/files "weirdly" moved when

no one was there, either in the office or remotely?

 

Does this only happen when RDP'd into the TS server?

Since this is a shared drive, does this also happen from local

workstations when viewing in Windows Explorer?

 

What about checking scheduled tasks or any other automated processes.

Maybe .vbs or .bat files are messing around.

 

I think you may need to wait for the object access audit and maybe

you will find the culprit.

 

I have no idea what may cause this issue but I figure if I keep asking

questions, maybe there is something that will trigger a thought

or an idea.

 

Do you have anti-virus software on the server that has a

"resident shield" active that maybe messing with the application?

 

hmmm.

 

moncho

 

> Grainne

>

>

> "moncho" wrote:

>

>> Just a thought, could it be that the system may be compromised?

>> The screen flicker makes me cautious.

>>

>> Are the folders/files located on a shared drive or local to the TS server?

>>

>> If it is a shared drive, I would lean towards an unknowledgeable

>> user moving them.

>>

>> Are the same folders/files being moved or are they random?

>>

>> When the folders/files are moved, are they moved to the same

>> place or is it random?

>>

>> Just trying to find some type of pattern.

>>

>> moncho

>>

Guest Grainne

Guest Grainne

Posted
Posted

Re: Missing files/folders

 

Hi Moncho

 

I was authenticated on TS Server and was working on files on SBS Server.

The customer doesn't store anything on TS Server, its just authenticates them

and passes them through to SBS.

 

It isn't a 24x7 shop and files always appear to move when someone is logged

in remotely. One of the users mentioned that they were logged in remotely,

the screen flickered and the files they were working on had disappeared (they

were found the next day elsewhere), this user is also quite IT literate

therefore wouldn't usually make mistakes and not own up to them.

 

It appears to only happen when RDP'd into the server but I can't be sure.

It doesn't usually happen when working locally internally and accessing

shared network files. Usually the customer comes in first thing in the

morning and notices files are not where they should be so it appears it

happens overnight when users would be RDP's into the system.

 

I'll check the scheduled tasks and antivirus and keep and look at the audit

when it next happens.

 

Grainne

 

"moncho" wrote:

 

> When you were in remotely, were you in the SBS server or the TS server?

>

> Is this a 24X7 shop and if not, were folder/files "weirdly" moved when

> no one was there, either in the office or remotely?

>

> Does this only happen when RDP'd into the TS server?

> Since this is a shared drive, does this also happen from local

> workstations when viewing in Windows Explorer?

>

> What about checking scheduled tasks or any other automated processes.

> Maybe .vbs or .bat files are messing around.

>

> I think you may need to wait for the object access audit and maybe

> you will find the culprit.

>

> I have no idea what may cause this issue but I figure if I keep asking

> questions, maybe there is something that will trigger a thought

> or an idea.

>

> Do you have anti-virus software on the server that has a

> "resident shield" active that maybe messing with the application?

>

> hmmm.

>

> moncho

>

>

> > Grainne

> >

> >

> > "moncho" wrote:

> >

> >> Just a thought, could it be that the system may be compromised?

> >> The screen flicker makes me cautious.

> >>

> >> Are the folders/files located on a shared drive or local to the TS server?

> >>

> >> If it is a shared drive, I would lean towards an unknowledgeable

> >> user moving them.

> >>

> >> Are the same folders/files being moved or are they random?

> >>

> >> When the folders/files are moved, are they moved to the same

> >> place or is it random?

> >>

> >> Just trying to find some type of pattern.

> >>

> >> moncho

> >>

>

Guest Jeff

Guest Jeff

Posted
Posted

Re: Missing files/folders

 

Do you use any type of replication software to remote sites or internally?

Any DFS ns or replication to speak of? I had this happen to me, but it was

due to corruption on my file server which was a member of the namespace.

When a user logged in it caused the corrupted files to disappear, when this

happened my hotsite not available directly to users replaced the files to a

previous location on my active linked member.

 

"Grainne" wrote:

> Hi Moncho

>

> I was authenticated on TS Server and was working on files on SBS Server.

> The customer doesn't store anything on TS Server, its just authenticates them

> and passes them through to SBS.

>

> It isn't a 24x7 shop and files always appear to move when someone is logged

> in remotely. One of the users mentioned that they were logged in remotely,

> the screen flickered and the files they were working on had disappeared (they

> were found the next day elsewhere), this user is also quite IT literate

> therefore wouldn't usually make mistakes and not own up to them.

>

> It appears to only happen when RDP'd into the server but I can't be sure.

> It doesn't usually happen when working locally internally and accessing

> shared network files. Usually the customer comes in first thing in the

> morning and notices files are not where they should be so it appears it

> happens overnight when users would be RDP's into the system.

>

> I'll check the scheduled tasks and antivirus and keep and look at the audit

> when it next happens.

>

> Grainne

>

> "moncho" wrote:

>

>

> > When you were in remotely, were you in the SBS server or the TS server?

> >

> > Is this a 24X7 shop and if not, were folder/files "weirdly" moved when

> > no one was there, either in the office or remotely?

> >

> > Does this only happen when RDP'd into the TS server?

> > Since this is a shared drive, does this also happen from local

> > workstations when viewing in Windows Explorer?

> >

> > What about checking scheduled tasks or any other automated processes.

> > Maybe .vbs or .bat files are messing around.

> >

> > I think you may need to wait for the object access audit and maybe

> > you will find the culprit.

> >

> > I have no idea what may cause this issue but I figure if I keep asking

> > questions, maybe there is something that will trigger a thought

> > or an idea.

> >

> > Do you have anti-virus software on the server that has a

> > "resident shield" active that maybe messing with the application?

> >

> > hmmm.

> >

> > moncho

> >

> >

> > > Grainne

> > >

> > >

> > > "moncho" wrote:

> > >

> > >> Just a thought, could it be that the system may be compromised?

> > >> The screen flicker makes me cautious.

> > >>

> > >> Are the folders/files located on a shared drive or local to the TS server?

> > >>

> > >> If it is a shared drive, I would lean towards an unknowledgeable

> > >> user moving them.

> > >>

> > >> Are the same folders/files being moved or are they random?

> > >>

> > >> When the folders/files are moved, are they moved to the same

> > >> place or is it random?

> > >>

> > >> Just trying to find some type of pattern.

> > >>

> > >> moncho

> > >>

> >

Guest Grainne

Guest Grainne

Posted
Posted

Re: Missing files/folders

 

Hi Jeff

 

Thanks for the reply

 

There is no replication software to remote sites or internally in use and

DFS is not used.

 

In response to Moncho's reply, there are no scheduled tasks or automated

processes.

 

AV "resident shield" is active for scanning "infectable files! only. I'm

reluctant to take this off as surely it is required, however if someone

thinks that is should be unticked, I can try it.

 

A backup runs daily at night which could be running whilst users are working

on files - could this cause the problem?

 

I can't think of anything else. Its a relatively simple setup, Small

Business Server 2003 with Terminal Service 2003 at the main site - all remote

sites connect via RDP.

 

"Jeff" wrote:

> Do you use any type of replication software to remote sites or internally?

> Any DFS ns or replication to speak of? I had this happen to me, but it was

> due to corruption on my file server which was a member of the namespace.

> When a user logged in it caused the corrupted files to disappear, when this

> happened my hotsite not available directly to users replaced the files to a

> previous location on my active linked member.

>

> "Grainne" wrote:

>

> > Hi Moncho

> >

> > I was authenticated on TS Server and was working on files on SBS Server.

> > The customer doesn't store anything on TS Server, its just authenticates them

> > and passes them through to SBS.

> >

> > It isn't a 24x7 shop and files always appear to move when someone is logged

> > in remotely. One of the users mentioned that they were logged in remotely,

> > the screen flickered and the files they were working on had disappeared (they

> > were found the next day elsewhere), this user is also quite IT literate

> > therefore wouldn't usually make mistakes and not own up to them.

> >

> > It appears to only happen when RDP'd into the server but I can't be sure.

> > It doesn't usually happen when working locally internally and accessing

> > shared network files. Usually the customer comes in first thing in the

> > morning and notices files are not where they should be so it appears it

> > happens overnight when users would be RDP's into the system.

> >

> > I'll check the scheduled tasks and antivirus and keep and look at the audit

> > when it next happens.

> >

> > Grainne

> >

> > "moncho" wrote:

> >

> >

> > > When you were in remotely, were you in the SBS server or the TS server?

> > >

> > > Is this a 24X7 shop and if not, were folder/files "weirdly" moved when

> > > no one was there, either in the office or remotely?

> > >

> > > Does this only happen when RDP'd into the TS server?

> > > Since this is a shared drive, does this also happen from local

> > > workstations when viewing in Windows Explorer?

> > >

> > > What about checking scheduled tasks or any other automated processes.

> > > Maybe .vbs or .bat files are messing around.

> > >

> > > I think you may need to wait for the object access audit and maybe

> > > you will find the culprit.

> > >

> > > I have no idea what may cause this issue but I figure if I keep asking

> > > questions, maybe there is something that will trigger a thought

> > > or an idea.

> > >

> > > Do you have anti-virus software on the server that has a

> > > "resident shield" active that maybe messing with the application?

> > >

> > > hmmm.

> > >

> > > moncho

> > >

> > >

> > > > Grainne

> > > >

> > > >

> > > > "moncho" wrote:

> > > >

> > > >> Just a thought, could it be that the system may be compromised?

> > > >> The screen flicker makes me cautious.

> > > >>

> > > >> Are the folders/files located on a shared drive or local to the TS server?

> > > >>

> > > >> If it is a shared drive, I would lean towards an unknowledgeable

> > > >> user moving them.

> > > >>

> > > >> Are the same folders/files being moved or are they random?

> > > >>

> > > >> When the folders/files are moved, are they moved to the same

> > > >> place or is it random?

> > > >>

> > > >> Just trying to find some type of pattern.

> > > >>

> > > >> moncho

> > > >>

> > >

 Share
Go to topic listing
×
×
  • Create New...