I know that bypass traverse checking is granted to Everyone by default.

The odd thing is in my Event log, I see an entry granting it to a specific
user:

Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x553939)
Privileges: SeChangeNotifyPrivilege

It happens several times for the same user - a user that never accesses my
box. Any ideas?

Bypass traverse checking
http://www.microsoft.com/resources/d...en-us/528.mspx

"This user right is defined in the Default Domain Controller Group Policy object (GPO)
and in the local security policy of workstations and servers."

Advanced File and Folder Permissions
http://www.microsoft.com/resources/d...d_sec_letd.asp

Windows XP Security Guide v2
http://www.microsoft.com/downloads/d...displaylang=en

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/secu...t/default.aspx

---------------------------------------------------------------------------------------

"biz" wrote:

| I know that bypass traverse checking is granted to Everyone by default.
|
| The odd thing is in my Event log, I see an entry granting it to a specific
| user:
|
| Special privileges assigned to new logon:
| User Name:
| Domain:
| Logon ID: (0x0,0x553939)
| Privileges: SeChangeNotifyPrivilege
|
| It happens several times for the same user - a user that never accesses my
| box. Any ideas?

I know what it is... I'm just curious why I would see a specific user
assignment in the event log of my workstation. By default Everyone has this
right... but why would someone who doesn't connect to my box, supposedly,
suddenly have this right assigned and logged in event viewer?

Looking under user rights in Local Policy doesn't show the user's username
as having the direct assignment.

Any ideas?

"Carey Frisch [MVP]" wrote:

> Bypass traverse checking
> http://www.microsoft.com/resources/d...en-us/528.mspx
>
> "This user right is defined in the Default Domain Controller Group Policy object (GPO)
> and in the local security policy of workstations and servers."
>
> Advanced File and Folder Permissions
> http://www.microsoft.com/resources/d...d_sec_letd.asp
>
> Windows XP Security Guide v2
> http://www.microsoft.com/downloads/d...displaylang=en
>
> --
> Carey Frisch
> Microsoft MVP
> Windows XP - Shell/User
>
> Be Smart! Protect Your PC!
> http://www.microsoft.com/athome/secu...t/default.aspx
>
> ---------------------------------------------------------------------------------------
>
> "biz" wrote:
>
> | I know that bypass traverse checking is granted to Everyone by default.
> |
> | The odd thing is in my Event log, I see an entry granting it to a specific
> | user:
> |
> | Special privileges assigned to new logon:
> | User Name:
> | Domain:
> | Logon ID: (0x0,0x553939)
> | Privileges: SeChangeNotifyPrivilege
> |
> | It happens several times for the same user - a user that never accesses my
> | box. Any ideas?
>
>

"biz" <(E-Mail Removed)> wrote in message
news:3CD9CD9F-DE66-4A83-A5C8-(E-Mail Removed)...
>I know that bypass traverse checking is granted to Everyone by default.
>
> The odd thing is in my Event log, I see an entry granting it to a specific
> user:
>
> Special privileges assigned to new logon:
> User Name:
> Domain:
> Logon ID: (0x0,0x553939)
> Privileges: SeChangeNotifyPrivilege
>
> It happens several times for the same user - a user that never accesses my
> box. Any ideas?

What kind of security auditing do you have turned on? Do you have anything
special being audited for that user?

(This privilege is being granted to everyone, but as I understand your
question, you are wondering why only this user is causing this to be
logged?)

If you are auditing logon events for Everyone, then you should be seeing
this event happening for a whole bunch of people.

Hmmm .... on a semi-related note, this post (apparently from EricF, a
Microsoft employee) states that there was a small bug in Windows Server 2003
regarding the auditing of this event. Possibly this was in XP as well (??)
http://lists.jammed.com/loganalysis/2004/06/0015.html

Thanks, this gives me something solid to start with.

"Colin Nash [MVP]" wrote:

>
> "biz" <(E-Mail Removed)> wrote in message
> news:3CD9CD9F-DE66-4A83-A5C8-(E-Mail Removed)...
> >I know that bypass traverse checking is granted to Everyone by default.
> >
> > The odd thing is in my Event log, I see an entry granting it to a specific
> > user:
> >
> > Special privileges assigned to new logon:
> > User Name:
> > Domain:
> > Logon ID: (0x0,0x553939)
> > Privileges: SeChangeNotifyPrivilege
> >
> > It happens several times for the same user - a user that never accesses my
> > box. Any ideas?
>
> What kind of security auditing do you have turned on? Do you have anything
> special being audited for that user?
>
> (This privilege is being granted to everyone, but as I understand your
> question, you are wondering why only this user is causing this to be
> logged?)
>
> If you are auditing logon events for Everyone, then you should be seeing
> this event happening for a whole bunch of people.
>
> Hmmm .... on a semi-related note, this post (apparently from EricF, a
> Microsoft employee) states that there was a small bug in Windows Server 2003
> regarding the auditing of this event. Possibly this was in XP as well (??)
> http://lists.jammed.com/loganalysis/2004/06/0015.html
>
>
>
>