Hello, we use a small network with all the same username on each computer. I want to be able to look at a saved file and find out who made the change or who created the file.
Is there any possible way to do this based on the computer name or ip address of the computer who created/modified a file?
This is a somewhat rare need so I am fine with going through log files to find out.
-Thanks
AFAIK, the only way you could determine this is by cross referencing the MACE timestamps with timestamps in Windows logs (uptime/logon) and router logs (MAC addresses and hostnames). If all your machines are generally always on and connected to the network, you may be out of luck.
The MACE timestamps are viewable through the properties menu, they are just the Modified, Accessed, and Created entries. This will tell you the time of creation and time of last modification.
After that you should collect the info on each machine's computer name/hostname (Right-click Computer > Properties > Advanced) and MAC addresss (command prompt: ipconfig /all).
The router will tell you when each computer requested an IP (if you're on a DHCP network) and this will tell you when each machine was online. If your network is not DHCP (the IP addresses are static) then you can record each machine's IP as well (Network and Sharing > Change Adapter Settings > Right-click adapter > Properties > IPv4 > Properties). If this dialog has Obtain IP address Automatically selected, then DHCP is enabled.
However, if your network is not internet-enabled, it may not have a router, and while DCHP may be enabled on your computers, your machines may obtain their addresses using APIPA. In this case I do not know that there will be any Windows event logs with this information.
I do not think there are any logs created upon file access, creation, or modification either, as these are noted in the file itself. It may be helpful to know where the file was stored and how it was acccessed. For instance, on my machines, Homegroup is disabled. When a user wants to access files on another machine, it must provide user and password credentials for the computer it wants to access. This creates an event log. I do not know how Homegroup handles these things, or if there would be any relevant logs in that case. If the file that was created/modified is on a network share drive, you may be out of luck.
I know this doesnt much help you now after-the-fact, but for future reference, you can use the group policy feature in conjunction with the event viewer's custom view editor to really keep a watch over your network. You can define what sorts of activities you want different groups of users to be able to perform, and tell the event viewer to collect specific sorts of logs on particular events to get a general highlight of what people have been up to.
Hmm, too bad there is no simple or quicker solution. Thank you for the help.
Quote