Auditing Privilege Use - failure only but still get Success

[Bruce Sanderson]

Using a GPO, I've set the Auditing of Privilge Use to Failure only. I've
verified that this setting is being applied to my XP workstations by using
the Resultant Set of Policies mmc snap-in and gpedit.msc (locally on this
computer).

The setting is:
Windows Settings\Security Settings\Local Policies\Audit Policy\Audit
privilege use:
· Define these policy settings: checked
· Success: not checked
· Failure: checked

However, some successful use of privileges still appear to be logged (on the
computer I checked the Resultant Set of Polices on). See the entry below.
What do I have to do to stop these Success events from being logged? At the
same time I changed the Privilege Use Audit setting in this GPO, I also
changed the Maximum Size of the Security Event Log (Windows
Settings\Security Settings\Event Log\Maximum security log size. Resultant
Set of Policies and Computer Management on this computer tells me that the
log now has the maximum size I set in the GPO, so I'm reasonably sure that
this GPO is being applied to this computer.

We are getting a large number of these events logged which are flooding the
Security Event Log (several hundred at least at each logon). We are
attempting to find out what is causing so many of these events to occur, but
that's a different problem.

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 04/Feb/2004
Time: 12:34:45 PM
User: WBCA30420\SMSCliSvcAcct&
Computer: WBCA30420
Description:
Privileged object operation:
Object Server: Security
Object Handle: 448
Process ID: 1804
Primary User Name: SMSCliSvcAcct&
Primary Domain: WBCA30420
Primary Logon ID: (0x0,0xF9FB)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTakeOwnershipPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Chriss3]

Bruce , what happens if you applies the securews.inf - Secure server or
workstation security template?

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[Bruce Sanderson]

After I sent the first post, the Domain Administrators changed the Default
Domain Policy and set all of the Auditing settings to "Not Defined", which,
if I understand correctly, means our computers now get the OS default
settings as defined in the Group Policy Help, which is essentially:

Audit account logon events: Success only (applies to remote access, not
local logons; Domain User logons are recorded on Domain Controllers, not the
local computer)
Audit account management: No Auditing
Audit directory service access: undefined (only has meaning on Domain
Controllers)
Audit logon events: Success only (applies to Local user accounts only)
Audit object access: No Auditing
Audit policy change: No Auditing – member computers
Audit privilege use: No Auditing
Audit process tracking: No Auditing
Audit system events: No Auditing

Before this change, other things were being audited (sorry, I don't have a
complete list at my disposal, but I think it was essentially audit
everything, success or failure). We no longer get the events I reported in
my first post, so the immediate problem is fixed.

I guess my question really is:
a. the event log entry says it is Category: Privilege Use, Event Type:
Success Audit
b. I had set the Audit Policy to only report Privilege Use failures

so, why were successes still being recorded? I must be missing something
here.