tracking copy transaction

[Asterisks]

Hi
Is there a way to track "copy" transaction (copying of files) from one
folder to another folder. I'm trying to trace who had copied files from a
shared folder (only 1 user was granted read/write access to this folder) to a
public folder in Win2003 server. This user who had been granted access to the
shared folder advised that he did not copy it to the public folder, thus
someone had illegally access his folder and copied those confidential files.

we tried viewing the app/system/security logs from event viewer but it
doesnt help much.

Thanks for any advice.
--
asterisks~

 

[Roger Abell [MVP]]

"Asterisks" <Asterisks@discussions.microsoft.com> wrote in message
news:4571E73B-867C-49D4-8C08-FAE7DD43745C@microsoft.com...
> Hi
> Is there a way to track "copy" transaction (copying of files) from one
> folder to another folder.

No

> I'm trying to trace who had copied files from a
> shared folder (only 1 user was granted read/write access to this folder)
> to a
> public folder in Win2003 server. This user who had been granted access to
> the
> shared folder advised that he did not copy it to the public folder, thus
> someone had illegally access his folder and copied those confidential
> files.
>

Copy is not, so-to-speak, atomic action, from OS audit point-of-view.
It is composed, a read and a save. Read may be audited by NTFS on
the read-from location. Save (Write) may be audited by NTFS but this
is done on the save-to location (which of course means potentially
anywhere, including some that NTFS does not reach like dvd, usb).


> we tried viewing the app/system/security logs from event viewer but it
> doesnt help much.
>

Even if you tried with auditing you would have needed to define what
was audited and where before the event you wanted traced by the
audit events messages.