File locked on shared drive by user who no longer exists
A network share has permissions at the share level and the file system level. You state "user2" has been gone since 2012 but then you state there is no account in AD for user2. Let's make some distinctions.
user2 is an account name, not a person. The person who used the account user2 left the company in 2012, not the account. Anyone with the proper credentials for user2 can login. You can easily get lost in AD if you're not that familiar with it.
You didn't mention the server OS or version [Ex. Server 2012 R2]. However, if you have access to the server console, you can check to see if user2 has a session open.
From an elevated command prompt: net session
You can also check to see files open: net file
Ex.
C:\Users\Administrator>net session
Computer User name Client Type Opens Idle time
-------------------------------------------------------------------------------
\\192.168.0.113 LAZER Windows 2002 S... 4 04:54:05
The command completed successfully.
C:\Users\Administrator>net file
ID Path User name # Locks
-------------------------------------------------------------------------------
3556769893 D:\Users Shared Folders\engraver LAZER 0
4026532140 D:\Users Shared F...\4x2 UIL.cdr LAZER 0
4026532734 D:\Users Shared F...\lazer files LAZER 0
The command completed successfully.
If the file is locked, it will show the name of the file and the lock.
The session will tell you where the account is running from. It is always best to close an open/locked from from the app running it. If this is left over, you have other options.
From your command line: compmgmt.msc
Expand System Tools, Shared Folders, Open Files
Locate the file in the right pane, right click and select Close Open File
If the file will not close for some reason, you can always reboot the server. it will close all open files.
If after a reboot, the file reports it's locked, and it's not listed as an open file, then the app is using the file system to control locks to files.
At this point, knowing the app is going to be important. What you normally find in this case is the folder where the file is located, has a filename with a similar name but the extension is different.
Ex.
filename.ext
filename.lck
This can happen for many reasons. If an app uses the file system to lock a file for R/W mode and the file was not closed properly, then the file remains and you must manually remove the locked file. Note: This means only a particular app will be susceptible to this. Never work without a net, which means always backup files before tempting recovery.
Related videos on Youtube
rusty009
Updated on September 18, 2022Comments
-
rusty009 over 1 year
I'm really banging my head against the wall with investigating this issue.
We have a shared drive with a number of documents. One such document was created in 2015 and User1 attempted to access this Microsoft office file, but the user was prompted with a popup saying the file was locked by user2.
The problem is, user2 left the company in 2012. This user no longer exists in Active Directory, neither does it look like he ever had access to this particular share.
I'm stumped as to what has happened here and where I can begin my investigation. We do not have fileactivity logs at our disposal, but is there a way I can investigate what happened?
There are no users with a similar surname as user2 within Active Directory either.
-
rusty009 over 8 yearsThanks for this, to clarify, - the locked out message read ' Joe Blogs has locked the file', Joe Bloggs is user2, we know user2 has left the company as they are within our employee database but there is no one with a similar name to Joe Bloggs in the company and we are using windows 2008 R1 server. You raised a good point regarding the network and system permissions. I will check the sessions as well as the local users on that machine and hopefully that will point me in the right direction. Thank you!
-
Nacre over 8 yearsYou're welcome. One more thing. Just in case the user2 account does exist, you can find out for sure. [pre] from the command line: net user [/pre] If you are on a DC (Domain Controller) you will see a list of domain users. If you are on a member server, you will need to add a parameter: net user /domain This will tell you if user2 is really there and if not, most likely the app is locking the file, not the OS.