Hi, in our org we have a standard user desktop which 'should' be locked down and contain a standard set of Icons. For some as yet unknown reason there have been situations when it appears a user(s) have been able to modify this desktop by either adding shortcuts or more recently deleteing standard shortcuts. I was asked to monitor the standard desktop, first of all very basic by counting the number of files in the desktop folder - if the count was greater than the expected number then alert as it means a file had been added. To implement this is downloaded the very useful File system MP which has a monitor to count files in a folder, and alerted when the threshold count was exceeded (the folder is under SYSVOL on DC). This worked for alerting on file additions. However now we have issues of file deletion so at a basic level I also need a monitor where file count is LESS than the specified threshold, which this MP does not give. I'm guessing it 'should' be possible, ie probably changing the script to use < rather than > operator, but I'm not sure how to script that, so any guidance or if anyone has a script to do it that would be helpful. At a more detailed level, it would be great if there was a way to monitor the desktop folder to identify any user who has modified the standard desktop folder (adding or deleting files) - is there any way to do this. Any help much appreciated!!...

Hi, next to the part where you monitor the number of files you could also turn on auditing for the folder. This will generate security events in the eventlog for each deleted file and who was logged on. You could also pick those up by using the scom agent. I know this is a bit different fr your question, but something to consider doing anyway (the auditing part).Bob Cornelissen - BICTT (My BICTT Blog)

Hi, in our org we have a standard user desktop which 'should' be locked down and contain a standard set of Icons. For some as yet unknown reason there have been situations when it appears a user(s) have been able to modify this desktop by either adding shortcuts or more recently deleteing standard shortcuts. I was asked to monitor the standard desktop, first of all very basic by counting the number of files in the desktop folder - if the count was greater than the expected number then alert as it means a file had been added. To implement this is downloaded the very useful File system MP which has a monitor to count files in a folder, and alerted when the threshold count was exceeded (the folder is under SYSVOL on DC). This worked for alerting on file additions. However now we have issues of file deletion so at a basic level I also need a monitor where file count is LESS than the specified threshold, which this MP does not give. I'm guessing it 'should' be possible, ie probably changing the script to use < rather than > operator, but I'm not sure how to script that, so any guidance or if anyone has a script to do it that would be helpful. At a more detailed level, it would be great if there was a way to monitor the desktop folder to identify any user who has modified the standard desktop folder (adding or deleting files) - is there any way to do this. Any help much appreciated!!... You have the script... it's in the mp. if you are just looking for the script you can log on to a client that uses the script (monitors some dir) and then search the scom agent install folders for the script. You might want to export the mp to xml as well. so you can read entire mp (it will look very cryptic at first, but eventually it will make some sense :)).Rob Korving http://jama00.wordpress.com/

Hi, You can try enabling auditing on the folder and creating a rule based on the event. . Meanwhile, I would like to share the following with you for your reference: Monitoring File Access with SCOM http://opsmgrsolutions.wordpress.com/2010/02/02/monitoring-file-access-with-scom/ Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. Hope this helps. Thanks. Nicholas Li - MSFT Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, You can try enabling auditing on the folder and creating a rule based on the event. Meanwhile, I would like to share the following with you for your reference: Monitoring File Access with SCOM http://opsmgrsolutions.wordpress.com/2010/02/02/monitoring-file-access-with-scom/ Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. Hope this helps. Thanks. Nicholas Li - MSFT Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.