Re: Failure Audit Security Log Event ID 577
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 10/04/03
- Next message: Roger Abell: "Re: User Account: ASP.NET Machine A..."
- Previous message: John R.: "Internet Explorer script errors"
- In reply to: Jake: "Re: Failure Audit Security Log Event ID 577"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Failure Audit Security Log Event ID 577"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Failure Audit Security Log Event ID 577"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 3 Oct 2003 22:33:35 -0700
You could try profiling what processes are running
in the account process, perhaps with aid from tools
from www.sysinternals.com
Also, does this happen with a newly defined account ?
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Jake" <j.lomax@mgn.co.uk> wrote in message news:0cea01c389f0$9db88da0$a001280a@phx.gbl... > Hi Roger, > Privilege use failures are all that is being audited and > only one event is recorded, eventID 577. An event is > logged every thirty seconds when the user is logged on. > The workststion can be idle, ie. screensaver up, and the > same event is still logged. > I have tried altering the local security 'Increase > scheduling priority' policy to 'Authenticated Users' and > also 'Not Defined'. This had no apparent effect. > > > >-----Original Message----- > >Onr solution is to ease back on the events you are > auditing. > >Assuming you put the ******* in there for privacy, > >logging of this is controlled by the "Audit privlege use" > > > >However, your subject (only) indicates that you are > >getting many failures, and _if_ one lessens this category > >of auditing it is usually to only log failures (not > successes). > >So in your case you probably need to track down what the > >******** account is doing when it gets denied. > >The user right that the account is not being granted is > the > >one shown in local policy as "Increase scheduling > priority" > >You may find that profiling the actions of the account > will > >lead you to a solution, for example KB 811196 is a case > >where admin accounts trigger this event even though they > >are granted the user right. > > > >-- > >Roger Abell > >Microsoft MVP (Windows Server System: Security) > >MCSE (W2k3,W2k,Nt4) MCDBA > >"Jake" <j.lomax@mgn.co.uk> wrote in message > >news:08a601c38917$9ec10990$a301280a@phx.gbl... > >> Does anyone know how to stop this failure audit event > >> being recorded. Its happening on a couple of my clients > >> now and with enforced 90 day log retention I need to > keep > >> increasing the log size, I'm not happy with this and > want > >> to know how to stop it. > >> > >> Privileged Service Called: > >> Server: Security > >> Service: - > >> Primary User Name: ******** > >> Primary Domain: ******* > >> Primary Logon ID: (0x0,0x****) > >> Client User Name: - > >> Client Domain: - > >> Client Logon ID: - > >> Privileges: SeIncreaseBasePriorityPrivilege > >> > > > > > >. > >
- Next message: Roger Abell: "Re: User Account: ASP.NET Machine A..."
- Previous message: John R.: "Internet Explorer script errors"
- In reply to: Jake: "Re: Failure Audit Security Log Event ID 577"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Failure Audit Security Log Event ID 577"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Failure Audit Security Log Event ID 577"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
