Re: event id 836 and 837?
- From: r. wales <rwales@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 27 Mar 2006 12:20:02 -0800
Thanks. AD and everything else was set up by a part timer who did a lot of
things quick and dirty. No I have been brought in to try and sort everything
out. Your help is greatly appreciated.
"Steven L Umbach" wrote:
I found the links below which indicate it has to with Active Directory.
replication and USN. If you do not have a specific reason to be auditing
directory service access such as auditing access of particular AD objects
you may want to disable it or enable it for failure only to reduce noise in
your security logs. --- Steve
http://kbase.gfi.com/showarticle.asp?id=KBID001758
http://kbase.gfi.com/showarticle.asp?id=KBID001759
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch03n.mspx
-- from the Threats and Countermeasures Guide.
Audit directory service access
This policy setting determines whether to audit user access of an Active
Directory® directory service object that has an associated system access
control list (SACL). A SACL is list of users and groups for which actions on
an object are to be audited on a Microsoft Windows-based network.
If you configure the Audit directory service access setting, you can specify
whether to audit successes, audit failures, or not audit the event type at
all. Success audits generate an audit entry when a user successfully
accesses an Active Directory object that has a SACL that indicates that the
user should be audited for the requested action. Failure audits generate an
audit entry when a user unsuccessfully attempts to access an Active
Directory object that has a SACL that requires auditing. (Both types of
audit entries are created before the user is notified that the request
succeeded or failed.) If you enable this policy setting and configure SACLs
on directory objects, a large volume of entries can be generated in the
Security logs on domain controllers. You should only enable these settings
if you actually intend to use the information that is created.
Note: You can configure a SACL on an Active Directory object through the
Security tab in that object's Properties dialog box. This method is
analogous to Audit object access, except that it applies only to Active
Directory objects and not to file system and registry objects.
"r. wales" <rwales@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C9F028DE-DA39-4557-8546-CB7415A6BFBE@xxxxxxxxxxxxxxxx
My security logs (2 servers) are full of success audits for event id 836
and
837. I have not been able to find any useful information as what these
events actually are or why they are occuring so often. Can someone shed
some
light on this for me?
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 836
Date: 3/16/2006
Time: 11:37:36 AM
User: NT AUTHORITY\SYSTEM
Computer: <servername1>
Description:
Destination DRA: CN=NTDS
Settings,CN=<servername1>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=<domainname>,DC=local
Source DRA: CN=NTDS
Settings,CN=<servername2>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=<domainname>,DC=local
Naming Context: DC=<domainname>,DC=local
Options: 19
Session ID: 36103
Start USN: 1741917
event 837 contains similar information
- References:
- Re: event id 836 and 837?
- From: Steven L Umbach
- Re: event id 836 and 837?
- Prev by Date: Re: share ftp in windows 2003 server
- Next by Date: Offline certificate creation fails on Windows 2003 enterprise CA without IIS
- Previous by thread: Re: event id 836 and 837?
- Next by thread: Applying SAFER policies via GPO, is this the right newsgroup to post in
- Index(es):
Relevant Pages
|
