Audit Object Access Problem

[JayJ]

Good day everyone

I am having a problem with Windows 2000 (and XP) and active directory.
I want to enable the GPO setting "audit object access" and then specify
files and folders on workstations and servers that inherit this setting
from the GPO.

When I enable the above setting, I get thousands of entries in the
event logs every minute, even though there are no files or folders with
auditing enabled on any of the workstations/servers yet.

Here is a sample:
---------------------
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\{29633AC7-C9B6-407B-8FE3-D079B0304CA3}
New Handle ID: 1516
Operation ID: {0,150820847}
Process ID: 1512
Primary User Name: xyzuser
Primary Domain: XYZDMN
Primary Logon ID: (0x0,0x53A05)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes

Privileges -
----------------------
and another:
----------------------
Handle Closed:
Object Server: Security
Handle ID: 1760
Process ID: 1284
----------------------


Even if I reset the auditing on the root of all drives (and set it to
propagate), I still get many thousands of these entries. If I disable
auditing of object access, I get no entries in the security event log
at all.

I don't think this is by design because I haven't seen this before. The
event logs fill up in a couple of minutes even if I set them to 100
MBytes.

Any ideas?

Jason

 

[Steven L Umbach]

You will normally get some events even if you do not have any auditing
enabled. You might want to use the free tool dumpsec from SomarSoft to see
if any folder/files are indeed enabled for auditing, possibly from a time in
the past and forgotten about or via Group Policy file system. Also check the
security option on those computers in Local Security Policy to make sure
that "audit access of global system objects" is not enabled. If it is
undefined set it to disabled. --- Steve

http://www.somarsoft.com/ -- link to Dumpsec

 

[JayJ]

Hi Steven

Thanks for the reply.

I'm seeing thousands of entries per minute, even though the option you
describe is disabled (access of global system objects). Do you know
what could be causing entries like
\Device\{29633AC7-C9B6-407B-8FE3-D079B0304CA3} to be audited? 99% of
the entries are these \Device\ ones.

Thanks

Jason

 

[Steven L Umbach]

Jason.

I am at a loss as to why you are seeing that many events if auditing of
global objects is disabled and you are sure that no folders are enable for
auditing. For Windows 2000 computers make sure it shows as disabled for
"effective" setting in Local Security Policy. I could understand that a lot
of events would be reported on a domain controller or busy server but not a
workstation. --- Steve

 

[JayJ]

I eventually came right. After moving the Computer and Username to a
different OU and then moving them back, it started working. Thank you
for your help Steven.