Re: Auditing Privilege Use - failure only but still get Success
From: Bruce Sanderson (Bruce.Sanderson_at_junk.junk)
Date: 02/04/04
- Next message: Randy Bickford: "Re: Number of cached logons"
- Previous message: Tim Springston \(MSFT\): "Re: How to open the TCP/IP stack to the builtin "Users" group."
- In reply to: Bruce Sanderson: "Auditing Privilege Use - failure only but still get Success"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 4 Feb 2004 15:49:45 -0800
After I sent the first post, the Domain Administrators changed the Default
Domain Policy and set all of the Auditing settings to "Not Defined", which,
if I understand correctly, means our computers now get the OS default
settings as defined in the Group Policy Help, which is essentially:
Audit account logon events: Success only (applies to remote access, not
local logons; Domain User logons are recorded on Domain Controllers, not the
local computer)
Audit account management: No Auditing
Audit directory service access: undefined (only has meaning on Domain
Controllers)
Audit logon events: Success only (applies to Local user accounts only)
Audit object access: No Auditing
Audit policy change: No Auditing – member computers
Audit privilege use: No Auditing
Audit process tracking: No Auditing
Audit system events: No Auditing
Before this change, other things were being audited (sorry, I don't have a
complete list at my disposal, but I think it was essentially audit
everything, success or failure). We no longer get the events I reported in
my first post, so the immediate problem is fixed.
I guess my question really is:
a. the event log entry says it is Category: Privilege Use, Event Type:
Success Audit
b. I had set the Audit Policy to only report Privilege Use failures
so, why were successes still being recorded? I must be missing something
here.
-- Bruce Sanderson MVP It's perfectly useless to know the right answer to the wrong question. "Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message news:uwglAL26DHA.1716@TK2MSFTNGP10.phx.gbl... > Using a GPO, I've set the Auditing of Privilge Use to Failure only. I've > verified that this setting is being applied to my XP workstations by using > the Resultant Set of Policies mmc snap-in and gpedit.msc (locally on this > computer). > > The setting is: > Windows Settings\Security Settings\Local Policies\Audit Policy\Audit > privilege use: > · Define these policy settings: checked > · Success: not checked > · Failure: checked > > However, some successful use of privileges still appear to be logged (on the > computer I checked the Resultant Set of Polices on). See the entry below. > What do I have to do to stop these Success events from being logged? At the > same time I changed the Privilege Use Audit setting in this GPO, I also > changed the Maximum Size of the Security Event Log (Windows > Settings\Security Settings\Event Log\Maximum security log size:). Resultant > Set of Policies and Computer Management on this computer tells me that the > log now has the maximum size I set in the GPO, so I'm reasonably sure that > this GPO is being applied to this computer. > > We are getting a large number of these events logged which are flooding the > Security Event Log (several hundred at least at each logon). We are > attempting to find out what is causing so many of these events to occur, but > that's a different problem. > > Event Type: Success Audit > Event Source: Security > Event Category: Privilege Use > Event ID: 578 > Date: 04/Feb/2004 > Time: 12:34:45 PM > User: WBCA30420\SMSCliSvcAcct& > Computer: WBCA30420 > Description: > Privileged object operation: > Object Server: Security > Object Handle: 448 > Process ID: 1804 > Primary User Name: SMSCliSvcAcct& > Primary Domain: WBCA30420 > Primary Logon ID: (0x0,0xF9FB) > Client User Name: - > Client Domain: - > Client Logon ID: - > Privileges: SeTakeOwnershipPrivilege > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > -- > Bruce Sanderson MVP > > It's perfectly useless to know the right answer to the wrong question. > > >
- Next message: Randy Bickford: "Re: Number of cached logons"
- Previous message: Tim Springston \(MSFT\): "Re: How to open the TCP/IP stack to the builtin "Users" group."
- In reply to: Bruce Sanderson: "Auditing Privilege Use - failure only but still get Success"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
