I have a Windows Server 2012 R2 box with file server role installed (FSRM, DFS Namespaces, DFSR). One folder from the DFS namespace increased substantially in size in the last two days. The folder has many, many subfolders and so on. I wanted to check whats going on there, what are the new files, maybe also who is addind files there. I can set the auditing settings to everyone in the folder, but it spits too much information in the security log, not really practical I think. I don't really have any third party tool installed. Is there a easier way to collect this kind of information? Maybe a Powershell script getting the last written files?
How to audit new files in Windows File Server (DFS)
dfs-rwindows-server-2012-r2
Best Answer
The Security Event Log and auditing object access would be the "supported" way to do this w/o adding third-party software. There's no built-in functionality, otherwise, that would do what you're looking for.
Searching for files by date isn't a bad idea (you could get a Win32 port of the Unix
findutility to help with that) but you can't absolutely guarantee that a user hasn't altered the modification time on a file. It's not 100% foolproof like the Security Event Log would be, but it's not unreasonable.If the folders you're talking about are being replicated by DFS-R I suppose you could use the DFS-R logs (in
%SystemRoot%\System32\Debug) to try to track new file creations (by way of their replication events), too.