Auditing Privilege Use - failure only but still get Success
From: Bruce Sanderson (Bruce.Sanderson_at_junk.junk)
Date: 02/04/04
- Next message: MS Newsgroups: "Re: Group Policy issues - please help"
- Previous message: MS Newsgroups: "Re: Office won't uninstall old versions via GPO push"
- Next in thread: Chriss3: "Re: Auditing Privilege Use - failure only but still get Success"
- Reply: Chriss3: "Re: Auditing Privilege Use - failure only but still get Success"
- Reply: Bruce Sanderson: "Re: Auditing Privilege Use - failure only but still get Success"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 4 Feb 2004 13:05:47 -0800
Using a GPO, I've set the Auditing of Privilge Use to Failure only. I've
verified that this setting is being applied to my XP workstations by using
the Resultant Set of Policies mmc snap-in and gpedit.msc (locally on this
computer).
The setting is:
Windows Settings\Security Settings\Local Policies\Audit Policy\Audit
privilege use:
· Define these policy settings: checked
· Success: not checked
· Failure: checked
However, some successful use of privileges still appear to be logged (on the
computer I checked the Resultant Set of Polices on). See the entry below.
What do I have to do to stop these Success events from being logged? At the
same time I changed the Privilege Use Audit setting in this GPO, I also
changed the Maximum Size of the Security Event Log (Windows
Settings\Security Settings\Event Log\Maximum security log size:). Resultant
Set of Policies and Computer Management on this computer tells me that the
log now has the maximum size I set in the GPO, so I'm reasonably sure that
this GPO is being applied to this computer.
We are getting a large number of these events logged which are flooding the
Security Event Log (several hundred at least at each logon). We are
attempting to find out what is causing so many of these events to occur, but
that's a different problem.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 04/Feb/2004
Time: 12:34:45 PM
User: WBCA30420\SMSCliSvcAcct&
Computer: WBCA30420
Description:
Privileged object operation:
Object Server: Security
Object Handle: 448
Process ID: 1804
Primary User Name: SMSCliSvcAcct&
Primary Domain: WBCA30420
Primary Logon ID: (0x0,0xF9FB)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTakeOwnershipPrivilege
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-- Bruce Sanderson MVP It's perfectly useless to know the right answer to the wrong question.
- Next message: MS Newsgroups: "Re: Group Policy issues - please help"
- Previous message: MS Newsgroups: "Re: Office won't uninstall old versions via GPO push"
- Next in thread: Chriss3: "Re: Auditing Privilege Use - failure only but still get Success"
- Reply: Chriss3: "Re: Auditing Privilege Use - failure only but still get Success"
- Reply: Bruce Sanderson: "Re: Auditing Privilege Use - failure only but still get Success"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
