J
JayJ
Good day everyone
I am having a problem with Windows 2000 (and XP) and active directory.
I want to enable the GPO setting "audit object access" and then specify
files and folders on workstations and servers that inherit this setting
from the GPO.
When I enable the above setting, I get thousands of entries in the
event logs every minute, even though there are no files or folders with
auditing enabled on any of the workstations/servers yet.
Here is a sample:
---------------------
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\{29633AC7-C9B6-407B-8FE3-D079B0304CA3}
New Handle ID: 1516
Operation ID: {0,150820847}
Process ID: 1512
Primary User Name: xyzuser
Primary Domain: XYZDMN
Primary Logon ID: (0x0,0x53A05)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges -
----------------------
and another:
----------------------
Handle Closed:
Object Server: Security
Handle ID: 1760
Process ID: 1284
----------------------
Even if I reset the auditing on the root of all drives (and set it to
propagate), I still get many thousands of these entries. If I disable
auditing of object access, I get no entries in the security event log
at all.
I don't think this is by design because I haven't seen this before. The
event logs fill up in a couple of minutes even if I set them to 100
MBytes.
Any ideas?
Jason
I am having a problem with Windows 2000 (and XP) and active directory.
I want to enable the GPO setting "audit object access" and then specify
files and folders on workstations and servers that inherit this setting
from the GPO.
When I enable the above setting, I get thousands of entries in the
event logs every minute, even though there are no files or folders with
auditing enabled on any of the workstations/servers yet.
Here is a sample:
---------------------
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\{29633AC7-C9B6-407B-8FE3-D079B0304CA3}
New Handle ID: 1516
Operation ID: {0,150820847}
Process ID: 1512
Primary User Name: xyzuser
Primary Domain: XYZDMN
Primary Logon ID: (0x0,0x53A05)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges -
----------------------
and another:
----------------------
Handle Closed:
Object Server: Security
Handle ID: 1760
Process ID: 1284
----------------------
Even if I reset the auditing on the root of all drives (and set it to
propagate), I still get many thousands of these entries. If I disable
auditing of object access, I get no entries in the security event log
at all.
I don't think this is by design because I haven't seen this before. The
event logs fill up in a couple of minutes even if I set them to 100
MBytes.
Any ideas?
Jason