Rem: Determining Who Is Overwriting Files

Q: A collaboration group member told me that someone is mistakenly uploading older versions of files to the network and thus overwriting newer versions that the collaboration group created. Investigating this problem by enabling auditing and wading through the verbose Security logs would be too timeconsuming. Is there an easier way?

A: Yes; as Listing 1 shows, you can use the Dir command to periodically retrieve each target file's owner, record that information in a log file, then examine the log file to determine who has been overwriting the newer version. In the sample code in Listing 1, the file being investigated is \server1shareAprojectfile.doc. The Dir command's /Q switch periodically retrieves that file's owner, and its /T switch with the W option retrieves that file's Last Written time field.

The For command at callout A in Listing 1 uses a tab to parse the output that the Dir command returns. (Note that in this For command and in the Echo command, I use arrows to serve as placeholders for tabs because tabs are nonprinting characters.) The For command then stores the file information in five variables: fdate (contains the date the file was last written to), ftime (contains the time the file was last written to), fsize (contains the file's size), dom (contains the file owner's domain), and user (contains the file owner's name). The second For command, which callout B shows, obtains the current date. Finally, the Echo command directs the file information to a tab-separated value (.tsv) file called D:logfile.tsv.

Windows 2000's Dir command produces slightly different output than the Dir command in Windows Server 2003 and Windows XP. The code in Listing 1 is set up for the Dir command in Windows 2003 and XP. On the Windows Scripting Solutions Web site, you'll find the GetFileOwner.bat script, which runs on Win2K as well as Windows 2003 and XP. (Don't copy the code in Listing 1 because it contains the arrows I used as placeholders.) To download the script, go to http:// www.winnetmag.com/windows scripting, enter 43313 in the Instant- Doc ID box, then click the 43313.zip hotlink. After you use Task Scheduler to run GetFileOwner.bat every few minutes, you can sort the data in Microsoft Excel to determine who is overwriting newer file versions.