Re: Audit Object Access Problem
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/24/05
- Next message: Steven L Umbach: "Re: Error:Currently there are no authentication server available"
- Previous message: Steven L Umbach: "Re: Users should not shutdown or restart servers"
- In reply to: JayJ: "Audit Object Access Problem"
- Next in thread: JayJ: "Re: Audit Object Access Problem"
- Reply: JayJ: "Re: Audit Object Access Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Jan 2005 15:32:47 -0600
You will normally get some events even if you do not have any auditing
enabled. You might want to use the free tool dumpsec from SomarSoft to see
if any folder/files are indeed enabled for auditing, possibly from a time in
the past and forgotten about or via Group Policy file system. Also check the
security option on those computers in Local Security Policy to make sure
that "audit access of global system objects" is not enabled. If it is
undefined set it to disabled. --- Steve
http://www.somarsoft.com/ -- link to Dumpsec
"JayJ" <jmcinnes@mighty.co.za> wrote in message
news:1106571141.143914.189390@f14g2000cwb.googlegroups.com...
> Good day everyone
>
> I am having a problem with Windows 2000 (and XP) and active directory.
> I want to enable the GPO setting "audit object access" and then specify
> files and folders on workstations and servers that inherit this setting
> from the GPO.
>
> When I enable the above setting, I get thousands of entries in the
> event logs every minute, even though there are no files or folders with
> auditing enabled on any of the workstations/servers yet.
>
> Here is a sample:
> ---------------------
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: \Device\{29633AC7-C9B6-407B-8FE3-D079B0304CA3}
> New Handle ID: 1516
> Operation ID: {0,150820847}
> Process ID: 1512
> Primary User Name: xyzuser
> Primary Domain: XYZDMN
> Primary Logon ID: (0x0,0x53A05)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses READ_CONTROL
> SYNCHRONIZE
> ReadData (or ListDirectory)
> WriteData (or AddFile)
> AppendData (or AddSubdirectory or CreatePipeInstance)
> ReadEA
> WriteEA
> ReadAttributes
> WriteAttributes
>
> Privileges -
> ----------------------
> and another:
> ----------------------
> Handle Closed:
> Object Server: Security
> Handle ID: 1760
> Process ID: 1284
> ----------------------
>
>
> Even if I reset the auditing on the root of all drives (and set it to
> propagate), I still get many thousands of these entries. If I disable
> auditing of object access, I get no entries in the security event log
> at all.
>
> I don't think this is by design because I haven't seen this before. The
> event logs fill up in a couple of minutes even if I set them to 100
> MBytes.
>
> Any ideas?
>
> Jason
>
- Next message: Steven L Umbach: "Re: Error:Currently there are no authentication server available"
- Previous message: Steven L Umbach: "Re: Users should not shutdown or restart servers"
- In reply to: JayJ: "Audit Object Access Problem"
- Next in thread: JayJ: "Re: Audit Object Access Problem"
- Reply: JayJ: "Re: Audit Object Access Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
