Security Logs Fill with Event 560 when limited users log in


M

Mygposts

We have deployed several laptops with a Microsoft SteadyState GPO and
restricted users from saving anything to the local drive.
This is working fine for everyone except the few users who needed to have
wireless USB NICs added to the laptops.
We logged in with our administrator accounts to install the NIC drivers and
vendor software and they are able to log in and successfully connect to the
wireless with their limited user accounts.
Within a few weeks they can no longer log in because their security logs
have grown to over 250MBs and they get a message saying they cannot log in
until the logs are cleared. They do not have rights to clear the logs
themselves and will not be granted those rights, so they have to come in and
have us clear it for them.

The event logs fill with Event 560 several times a second. Sometimes 4
events time stamped with the same time down to the second.

The event says:

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/27/2009
Time: 9:52:28 PM
User: S-1-5-21-1635994856-3625636839-4110126995-1601
Computer: JohnLaptop
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,21101683}
Process ID: 1316
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: JohnLaptop$
Primary Domain: homedomain
Primary Logon ID: (0x0,0x3E7)
Client User Name: jsmith
Client Domain: homedomain
Client Logon ID: (0x0,0x1FDCB)
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Connect to service controller
Create a new service
Enumerate services
Lock service database for exclusive access
Query service database lock state
Set last-known-good state of service database

Privileges: -
Restricted Sid Count: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Users who log in as an administrator do not get these events.
Is there some way to prevent these failure events from occuring without
granting these users admin rights or turning off auditing?
 
Ad

Advertisements

M

Mygposts

I noticed the log alternates the first error with this one:

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/27/2009
Time: 9:52:25 PM
User: S-1-5-21-1635994856-3625636839-4110126995-1601
Computer: JohnLaptop
Description:
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: DNINDIS5
Handle ID: -
Operation ID: {0,21086507}
Process ID: 1316
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: JohnLaptop$
Primary Domain: homedomain
Primary Logon ID: (0x0,0x3E7)
Client User Name: jsmith
Client Domain: homedomain
Client Logon ID: (0x0,0x1FDCB)
Accesses: Start the service

Privileges: -
Restricted Sid Count: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
J

Jose

We have deployed several laptops with a Microsoft SteadyState GPO and
restricted users from saving anything to the local drive.
This is working fine for everyone except the few users who needed to have
wireless USB NICs added to the laptops.  
We logged in with our administrator accounts to install the NIC drivers and
vendor software and they are able to log in and successfully connect to the
wireless with their limited user accounts.
Within a few weeks they can no longer log in because their security logs
have grown to over 250MBs and they get a message saying they cannot log in
until the logs are cleared.  They do not have rights to clear the logs
themselves and will not be granted those rights, so they have to come in and
have us clear it for them.

The event logs fill with Event 560 several times a second.  Sometimes 4
events time stamped with the same time down to the second.

The event says:

Event Type:     Failure Audit
Event Source:   Security
Event Category: Object Access
Event ID:       560
Date:           7/27/2009
Time:           9:52:28 PM
User:           S-1-5-21-1635994856-3625636839-4110126995-1601
Computer:       JohnLaptop
Description:
Object Open:
        Object Server:  SC Manager
        Object Type:    SC_MANAGER OBJECT
        Object Name:    ServicesActive
        Handle ID:      -
        Operation ID:   {0,21101683}
        Process ID:     1316
        Image File Name:        C:\WINDOWS\system32\services.exe
        Primary User Name:      JohnLaptop$
        Primary Domain: homedomain
        Primary Logon ID:       (0x0,0x3E7)
        Client User Name:       jsmith
        Client Domain:  homedomain
        Client Logon ID:        (0x0,0x1FDCB)
        Accesses:               DELETE
                        READ_CONTROL
                        WRITE_DAC
                        WRITE_OWNER
                        Connect to service controller
                        Create a new service
                        Enumerate services
                        Lock service database forexclusive access
                        Query service database lock state
                        Set last-known-good stateof service database

        Privileges:             -
        Restricted Sid Count: 0

For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.

Users who log in as an administrator do not get these events.
Is there some way to prevent these failure events from occuring without
granting these users admin rights or turning off auditing?

How about a Google search for:

Event ID: 560

which finds 189,000 hits and this Microsoft article on top of the
list:

http://support.microsoft.com/kb/841001
 
Ad

Advertisements

M

Mygposts

I don't have event 562. The Microsoft page seems to have errors or typos in
the steps:
"In the Connection dialog box, make sure that the Distinguished Name option
is selected, and then type the following in the Distinguished Name field:
CN=Server,CN=System,DC=Domain_Name,DC=Domain_Extensionaceholder throughout
these steps."

What?? "DC=Domain_Extensionaceholder throughout these steps."

Google has so many thousands of results with different fixes for this error
that it is difficult to find the right one.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top