Hello,
In our environment, our users all have a personal folder assigned to them. IT personnel and other users have access to these folders. I'm wanting to build a search that will display users that access files/folders on these personal areas that are not the user the folder was created for. The folder will basically be \\servername\sharename\username. I want to be able to see when the user's username doesn't match up with the username(folder name) on the server. For instance, I want to see when user jdoe is accessing the personal area for jschmoe located at \\servername\sharename\jschmoe. I have below an example of the logs I'm working with. The parts of the log that I'm especially interested in are in bold. The first bold portion is the "\\servername\sharename\jschmoe" portion that shows the location of the user's personal folder. The second bold portion is the username that is accessing the personal folder. Any help or suggestions with this would be tremendously helpful.
Security,1812722872,2012-03-13 12:16:40,2012-03-13 12:16:40,560,16,Failure Audit event,3,Object Access,Security,"Security|File|\file_system_name\Home\username\*|-|Open|-|-|-|-|-|username|domain|0x0066dc7808 - X.X.X.X|WRITE_DAC WRITE_OWNER|-",Server_Name,S-1-5-21-684679960-1866280647-358221868-2815,"Object Open: Object Server: Security Object Type: File Object Name: \file_system_name\Home\username\* New Handle ID: - Operation ID: {Open,-} Process ID: - Primary User Name: - Primary Domain: - Primary Logon ID: - Client User Name: username Client Domain: DOMAINNAME Client Logon ID: 0x0066dc7808 - X.X.X.X Accesses WRITE_DAC WRITE_OWNER Privileges - ",
... View more