Re: 560 errors
From: Eric Fitzgerald [MSFT] (ericf@online.microsoft.com)
Date: 01/30/03
- Next message: Eric Fitzgerald [MSFT]: "Re: Changeing of object ownership detection via Event Viewer"
- Previous message: Joe Baker: "prog runs for admin, not for user"
- In reply to: Mike W: "560 errors"
- Next in thread: Special Access: "Re: 560 errors"
- Reply:(deleted message) Special Access: "Re: 560 errors"
- Reply: Mike W: "Re: 560 errors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com> Date: Wed, 29 Jan 2003 18:01:43 -0800
You need to disable the security option "Audit Base System Objects" in
security policy. The audits will go away. Also, unless you are REQUIRED to
do so, CrashOnAuditFail is a really bad choice.
Eric
-- Eric Fitzgerald Program Manager, Windows Auditing and Intrusion Detection Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "Mike W" <wunderlinmw@state.gov> wrote in message news:093601c2c797$f57fd5a0$d3f82ecf@TK2MSFTNGXA10... > Our systems are locked down by security settings, and > auditing. I recently deployed a Win2K computer in a NT > 4.0 domain as part of a planned rollout. The system > crashed within 2 hours (crashonauditfail is enabled) Most > of the errors are similar to these: > > Event Type: Failure Audit > Event Source: Security > Event Category: Object Access > Event ID: 560 > Date: 01/23/03 > Time: 9:04:01 AM > User: <domain name>\<user name> > Computer: <computer name> > Description: > Object Open: > Object Server: Security > Object Type: Event > Object Name: > \BaseNamedObjects\crypt32LogoffEvent > New Handle ID: - > Operation ID: {0,253463} > Process ID: 248 > Primary User Name: <removed for posting> > Primary Domain: <domain name> > Primary Logon ID: (0x0,0x253EE) > Client User Name: - > Client Domain: - > Client Logon ID: - > Accesses DELETE > READ_CONTROL > WRITE_DAC > WRITE_OWNER > SYNCHRONIZE > Query event state > Modify event state > > Privileges - > > > Event Type: Failure Audit > Event Source: Security > Event Category: Object Access > Event ID: 560 > Date: 01/23/03 > Time: 9:03:57 AM > User: <domain name>\<user name> > Computer: <computer name> > Description: > Object Open: > Object Server: Security > Object Type: Section > Object Name: > \BaseNamedObjects\_MsiFeatureCacheCount > New Handle ID: - > Operation ID: {0,249010} > Process ID: 976 > Primary User Name: <removed for posting> > Primary Domain: <domain name> > Primary Logon ID: (0x0,0x253EE) > Client User Name: - > Client Domain: - > Client Logon ID: - > Accesses DELETE > READ_CONTROL > WRITE_DAC > WRITE_OWNER > Query section state > Map section for write > Map section for read > > Privileges - > > I tried searching through TechNet for information on this > event, but can't find anything specific. Not even a > description of what it's looking for and/or why this is > happening. Is there a technet article, or some other > article, that can explain this type of error to me? > What is it looking for? What did it see? Why am I seeing > these errors? > > Other errors include: > Event Type: Failure Audit > Event Source: Security > Event Category: Object Access > Event ID: 560 > Date: 01/23/03 > Time: 9:03:57 AM > User: <domain name>\<user name> > Computer: <computer name> > Description: > Object Open: > Object Server: Security > Object Type: File > Object Name: C:\WINNT\welcome.exe > New Handle ID: - > Operation ID: {0,1189599} > Process ID: 1172 > Primary User Name: <user name> > Primary Domain: <domain name> > Primary Logon ID: (0x0,0x10FBA3) > Client User Name: - > Client Domain: - > Client Logon ID: - > Accesses SYNCHRONIZE > Execute/Traverse > > Privileges - > > In this case, the user has READ rights to the file in > question. It looks like the problem identified in article > Q172509 also affects Windows 2000. > > Help?!? > Thanks!
- Next message: Eric Fitzgerald [MSFT]: "Re: Changeing of object ownership detection via Event Viewer"
- Previous message: Joe Baker: "prog runs for admin, not for user"
- In reply to: Mike W: "560 errors"
- Next in thread: Special Access: "Re: 560 errors"
- Reply:(deleted message) Special Access: "Re: 560 errors"
- Reply: Mike W: "Re: 560 errors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
