Security Log Multiple Success/Failure Audit records

[Guest]

I get the following events from my all my users...they are paired with a
success and a failure. I am not sure how to read them and make them stop.
Any advice would be welcome.

Thanks, Eric

Success Audit
Object Open:
Object Server: Microsoft Exchange
Object Type: Microsoft Exchange Database
Object
Name: /O=RGA/OU=ROCKFORD/cn=Configuration/cn=Servers/cn=MMEXG/cn=Microsoft
Private MDB
New Handle ID: 0
Operation ID: {0,11128078}
Process ID: 3164
Primary User Name: MMEXG$
Primary Domain: ROCKFORD
Primary Logon ID: (0x0,0x3E7)
Client User Name: Recover1
Client Domain: ROCKFORD
Client Logon ID: (0x0,0xA9CCFA)
Accesses -
Privileges -

Properties:
Unknown specific access (bit 8)
Create public folder
Create named properties in the information store

And the Failure Audit:
Object Open:
Object Server: Microsoft Exchange
Object Type: Microsoft Exchange Database
Object
Name: /O=RGA/OU=ROCKFORD/cn=Configuration/cn=Servers/cn=MMEXG/cn=Microsoft
Private MDB
New Handle ID: 0
Operation ID: {0,11128079}
Process ID: 3164
Primary User Name: MMEXG$
Primary Domain: ROCKFORD
Primary Logon ID: (0x0,0x3E7)
Client User Name: Recover1
Client Domain: ROCKFORD
Client Logon ID: (0x0,0xA9CCFA)
Accesses Unknown specific access (bit 8)

Privileges -

Properties:
DELETE
Modify public folder quotas
Unknown specific access (bit 1)
Unknown specific access (bit 4)
Administer information store
ACCESS_SYS_SEC
%{d74a8774-2289-11d3-aa62-00c04f8eedd8}
---
Mail-enable public folder
WRITE_DAC
SYNCHRONIZE
Unknown specific access (bit 9)
Unknown specific access (bit 11)
Unknown specific access (bit 12)
Modify public folder deleted item retention
DELETE
READ_CONTROL
Unknown specific access (bit 0)
Unknown specific access (bit 1)
Unknown specific access (bit 2)
Unknown specific access (bit 3)
Unknown specific access (bit 4)
Modify public folder expiry
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Unknown specific access (bit 0)
Unknown specific access (bit 1)
Unknown specific access (bit 2)
Unknown specific access (bit 3)
Unknown specific access (bit 4)
Unknown specific access (bit 5)
Modify public folder replica list
View information store status
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Unknown specific access (bit 0)
Unknown specific access (bit 1)
Unknown specific access (bit 2)
Unknown specific access (bit 3)
Unknown specific access (bit 4)
Unknown specific access (bit 5)
Create top level public folder
Unknown specific access (bit 0)
Unknown specific access (bit 8)
Modify public folder ACL
ACCESS_SYS_SEC
MAX_ALLOWED
Modify public folder admin ACL

 

[Steven L Umbach]

Those are events recorded for object access and privilege use. Unless you
have a particular reason for auditing object access and privilege use you
probably want to disable such in the appropriate security policy. Auditing
of object access is needed however if you are auditing folder permissions.

In general unless your users are having problems running applications or
accessing files I would not worry about the failure for object access and
privilege use. The exceptions would be for troubleshooting access problems,
auditing for specific access to folders, and auditing for users trying to
use specific sensitive privileges. --- Steve