Files keep getting deleted on file server? Not by the user

loxleynew

So I have this strange question and wonder if anyone has ever had this happen to them. I used to think it was user error (like most things) however I don't think so anymore.

Randomly once a week or so someone (always a different person) comes to me and says their files in their folder on our file server have randomly gotten deleted. It's always the files in the root of their folder and all the folders inside that folder are fine.. For example h:\joeschmo and everything inside that folder is deleted however h:\joeschmo\outlook everything in that folder is still there... Only two people have access to his folder. Me and him. If this didn't happen to 5-6 people I would have thought they deleted them but not anymore.

Anyone ever seen this?

undomiel

Is this a DFS? Any replication going on? Enable auditing and start watching for when it happens again.

cisco_trooper

undomiel wrote: »

Is this a DFS? Any replication going on? Enable auditing and start watching for when it happens again.

+1. Auditing is next to God. Also, with DFS shares, something they created may not have replicated to the other DFS box. I forget what these are called, it's been a while since I've messed with it. Check the ntfrs service if this is the case.

blargoe

Auditing, auditing, auditing.

loxleynew

Nope there is no DFS or replicating on it at all. I was going to try auditing but I would have to audit everyone's folder. I was under the assumption the auditing logs take up a lot of disk space. Is this true? Or is there a way to delete the logs automatically after a certain period of time?

loxleynew

So I did some tests and audited the deletions. It just comes back as the user deleting them even though I know it's not them. So that only helps me in the fact that it's not the server it's their computers =/

Such a stupid frustrating problem.

cisco_trooper

loxleynew wrote: »

So I did some tests and audited the deletions. It just comes back as the user deleting them even though I know it's not them. So that only helps me in the fact that it's not the server it's their computers =/

Such a stupid frustrating problem.

Any batch files, logon scripts, or other software users are running? If it is coming back as the user deleting them, then it is the user deleting them, even if they don't know it.

blargoe

That's right. If it's his user account, try to get the host that it came from and make sure it's his computer and not someone else using his logon id, search logon events for his user id and see if any other computers are connecting to the server with his id.

loxleynew

blargoe wrote: »

That's right. If it's his user account, try to get the host that it came from and make sure it's his computer and not someone else using his logon id, search logon events for his user id and see if any other computers are connecting to the server with his id.

Well when I tested I had both computers in front of me. Theirs and mine with remote desktop to the server to check logs. I closed outlook and bam everything got deleted. Says came from the user even though all I did was close outlook. I made some new test files and opened outlook and as soon as I closed outlook again, bam files deleted. Maybe it is an outlook problem? I'm not sure if other peoples files get deleted when they close outlook (this has happened to 4-5 people, but they all are semi dumb and never know what they are doing when it happens.)

We all do use logon scripts to map drives. Did I understand your question right? Maybe I got it wrong. I was under the assumption that you were thinking that someone was using their account to delete the files which is not the case.

cisco_trooper

loxleynew wrote: »

Well when I tested I had both computers in front of me. Theirs and mine with remote desktop to the server to check logs. I closed outlook and bam everything got deleted. Says came from the user even though all I did was close outlook. I made some new test files and opened outlook and as soon as I closed outlook again, bam files deleted. Maybe it is an outlook problem? I'm not sure if other peoples files get deleted when they close outlook (this has happened to 4-5 people, but they all are semi dumb and never know what they are doing when it happens.)

We all do use logon scripts to map drives. Did I understand your question right? Maybe I got it wrong. I was under the assumption that you were thinking that someone was using their account to delete the files which is not the case.

Are they utilizing public folders within Outlook. Any type of resources shared and "mounted" within Outlook, with Outlook set to automatically delete or archive? Don't know if such a thing exists, but it's pretty darn fishy that Outlook closing deletes files if something like this isn't set somewhere.

loxleynew

cisco_trooper wrote: »

Are they utilizing public folders within Outlook. Any type of resources shared and "mounted" within Outlook, with Outlook set to automatically delete or archive? Don't know if such a thing exists, but it's pretty darn fishy that Outlook closing deletes files if something like this isn't set somewhere.

Just personal folders that are located in the same directory that the files keep getting deleted. Maybe outlook is deleting them.

undomiel

What version of Outlook are you using?

blargoe

Does your company use Enterprise Vault or any other centralized mail archiving software? We have it and I know there's an outlook plug in and a setting that deletes PST files once it's been scanned for email to put into the archive.

Could there be any Outlook settings or policies being centrally managed? Group Policy or some third party desktop management software?

motogpman

I would check to see if they are using cahed mode or not. Obviously, if it is coming from several different users and files being deleted, I would check a common ground that everyone shares. Are these files on a networked share, personal drive, local system root?

Are these office/MS documents or others? A lot of viruses and such target MS files. I have to deal with a lot of stupid end users, but this looks like a user is deleting or there is a malicious program/user causing problems. I would look into the cahing setup in Echange, looking at your last post seems to be targeted at Echange.

Any prevuous IT user/admin that mat have a backdoor?