Re: Event ID 560 Problem

From: nelson (nelson@thebeat.com)
Date: 06/14/02 

From: "nelson" <nelson@thebeat.com>
Date: Thu, 13 Jun 2002 15:55:04 -0700

I am kinda fallowing your explanation here. However, what
I don't understand is why the computer is trying to access
someone else directory with the current username. Is this
bug or something??

>-----Original Message-----
>Error 560s usually refer to object access. What is
happening is that
>whenever a user makes a connection to something out on
the network, i.e a
>file server, a printer, an mp3 on someones share, a
connection is made. When
>they log off, even 3 three hours later, the machine will
go out and attempt
>to close that connection. That is the object access that
you are probably
>recording, and it shouldnt be anything to worry about.
>
>--
>Michael Eisenhart
>Microsoft Support Professional
>Get Secure!! www.microsoft.com/security
>"Nelson" <nelson@thebeat.com> wrote in message
>news:e81701c21318$5381e600$3aef2ecf@TKMSFTNGXA09...
>> Hello,
>>
>> Right now, we have a domain and 30+ workstations.
We
>> started doing security audit last months. I am having
>> this repeated event in my security log that I can't
>> explain. Whenever someone log off their workstation,
the
>> server would log multiple event id 560. Telling me that
>> the user is trying to access someone else directory. To
>> double check, I went to the workstation, log on and log
>> off multiple times. Here is a copy of the security log:
>>
>>
>> Object Open:
>>
>> Object Server: Security
>>
>> Object Type: File
>>
>> Object Name:
>> \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1
>> \User Directory\controlroom
>>
>> New Handle ID: -
>>
>> Operation ID: {0,55205484}
>>
>> Process ID: 8
>>
>> Primary User Name: GOLD$
>>
>> Primary Domain: Beatlan
>>
>> Primary Logon ID: (0x0,0x3E7)
>>
>> Client User Name: wayner
>>
>> Client Domain: Beatlan
>>
>> Client Logon ID: (0x0,0x34A5D58)
>>
>> Accesses ReadData (or
>> ListDirectory)
>>
>>
>> This is only one of the events; I would get at least 20
of
>> them. I can't figure why the computer would attempt to
>> access other people directory whenever it log off. I
was
>> thinking that there might be a virus at work here, but I
>> haven't been able to find any virus in the system
whenever
>> I scan it. Also, if I delete the profile from the
>> computer, then log on and log off the domain again, the
>> problem goes away. But it re-occurs again. I greatly
>> appreciate any help..
>>
>>
>
>
>.
>

Relevant Pages

  • Re: Event ID 560 Problem
    ... Error 560s usually refer to object access. ... file server, a printer, an mp3 on someones share, a connection is made. ... > this repeated event in my security log that I can't ... Whenever someone log off their workstation, ...
    (microsoft.public.win2000.security)
  • Re: Event ID 560 Problem
    ... order to colse the connection. ... >>Error 560s usually refer to object access. ... >>> this repeated event in my security log that I can't ... Whenever someone log off their workstation, ...
    (microsoft.public.win2000.security)
  • Re: Changing Workstation ID in an adp
    ... ES> set when the Adp file is opened, but once it's there opening that adp ... ES> from another workstation does not change that value, ... VADIM, compiled it into ADE, and deployed on user's machine. ... you found out the connection shows VADIM as the host name. ...
    (microsoft.public.access.adp.sqlserver)
  • Re: Connecting a remote workstation to a domain
    ... Even setting up a low end workstation in the ... I have also selected not to dial an initial connection before ... remark that you will have to reboot the workstation. ... After the login script has finished and if you have Premium, ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Web Workplace Issue
    ... Are ports 4125 and 443 forwarded to your SBS NIC? ... opened these ports on the workstation with scope to network ... IntelPRO/1000 MT Network Connection ... The client could not establish a connection to the remote computer. ...
    (microsoft.public.windows.server.sbs)