| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
kcsteele
Guest
Posts: n/a
|
Hi, I'm getting failure audits in the security log of the PDC every
time a user logs on or a computer refreshes computer policy: [USER] Event Type: Failure Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 2/26/2008 Time: 7:12:15 AM User: DOMAIN\User Computer: DC Description: Object Open: Object Server: Security Object Type: File Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{0315E207- FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat Handle ID: - Operation ID: {0,81314006} Process ID: 4 Image File Name: Primary User Name: DC$ Primary Domain: DOMAIN Primary Logon ID: (0x0,0x3E7) Client User Name: user Client Domain: DOMAIN Client Logon ID: (0x0,0x4D8BED6) Accesses: READ_CONTROL ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA ReadAttributes WriteAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x2019F [COMPUTER] Event Type: Failure Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 2/26/2008 Time: 7:14:28 AM User: DOMAIN\WORKSTATION$ Computer: DC Description: Object Open: Object Server: Security Object Type: File Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311- F537-4423- A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf Handle ID: - Operation ID: {0,81342299} Process ID: 4 Image File Name: Primary User Name: DC$ Primary Domain: DOMAIN Primary Logon ID: (0x0,0x3E7) Client User Name: WORKSTATION$ Client Domain: DOMAIN Client Logon ID: (0x0,0x4D92D17) Accesses: READ_CONTROL ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA ReadAttributes WriteAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x2019F This is accompanied by failure audits for each separate logon script (startup script in the case of computers, not users). The strange thing is that the scripts still run no problem. I'm trying to figure out why there are failures getting triggered if the logon/startup scripts still run successfully. I checked the NTFS ACL on the track_logon.bat referenced in the first event, and it has read and read&execute allowed for "authenticated users". Thanks if anyone can provide any more info. |
|
|
|
|
|||
|
|||
|
|
|
| |
|
Meinolf Weber
Guest
Posts: n/a
|
Hello kcsteele,
You talk about the script. Is in the script an user account configured for some reason? Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Hi, I'm getting failure audits in the security log of the PDC every > time a user logs on or a computer refreshes computer policy: > > [USER] > > Event Type: Failure Audit > Event Source: Security > Event Category: Object Access > Event ID: 560 > Date: 2/26/2008 > Time: 7:12:15 AM > User: DOMAIN\User > Computer: DC > Description: > Object Open: > Object Server: Security > Object Type: File > Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{0315E207- > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat > Handle ID: - > Operation ID: {0,81314006} > Process ID: 4 > Image File Name: > Primary User Name: DC$ > Primary Domain: DOMAIN > Primary Logon ID: (0x0,0x3E7) > Client User Name: user > Client Domain: DOMAIN > Client Logon ID: (0x0,0x4D8BED6) > Accesses: READ_CONTROL > ReadData (or ListDirectory) > WriteData (or AddFile) > AppendData (or AddSubdirectory or > CreatePipeInstance) > ReadEA > WriteEA > ReadAttributes > WriteAttributes > Privileges: - > Restricted Sid Count: 0 > Access Mask: 0x2019F > [COMPUTER] > > Event Type: Failure Audit > Event Source: Security > Event Category: Object Access > Event ID: 560 > Date: 2/26/2008 > Time: 7:14:28 AM > User: DOMAIN\WORKSTATION$ > Computer: DC > Description: > Object Open: > Object Server: Security > Object Type: File > Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311- > F537-4423- > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf > Handle ID: - > Operation ID: {0,81342299} > Process ID: 4 > Image File Name: > Primary User Name: DC$ > Primary Domain: DOMAIN > Primary Logon ID: (0x0,0x3E7) > Client User Name: WORKSTATION$ > Client Domain: DOMAIN > Client Logon ID: (0x0,0x4D92D17) > Accesses: READ_CONTROL > ReadData (or ListDirectory) > WriteData (or AddFile) > AppendData (or AddSubdirectory or > CreatePipeInstance) > ReadEA > WriteEA > ReadAttributes > WriteAttributes > Privileges: - > Restricted Sid Count: 0 > Access Mask: 0x2019F > This is accompanied by failure audits for each separate logon script > (startup script in the case of computers, not users). The strange > thing is that the scripts still run no problem. I'm trying to figure > out why there are failures getting triggered if the logon/startup > scripts still run successfully. I checked the NTFS ACL on the > track_logon.bat referenced in the first event, and it has read and > read&execute allowed for "authenticated users". > > Thanks if anyone can provide any more info. > |
|
|
|
|
|||
|
|
|||
|
kcsteele
Guest
Posts: n/a
|
Hi Meinolf,
They are just logon scripts assigned via GPO that do simple things like append to a .txt file the time that the person logged in (you will see in my original post the event references "track_logon.bat"). However, notice the other event I posted, you will see that it is a machine attempting to refresh machine group policy, which also generates a failure audit. Regardless the users and machines all receive their policies and run the scripts OK, so I'm confused as to why the failure audits are being triggered. On Feb 27, 8:50*am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote: > Hello kcsteele, > > You talk about the script. Is in the script an user account configured for > some reason? > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm > > > > > Hi, I'm getting failure audits in the security log of the PDC every > > time a user logs on or a computer refreshes computer policy: > > > [USER] > > > Event Type: * * Failure Audit > > Event Source: * Security > > Event Category: Object Access > > Event ID: * * * 560 > > Date: * * * * * 2/26/2008 > > Time: * * * * * 7:12:15 AM > > User: * * * * * DOMAIN\User > > Computer: * * * DC > > Description: > > Object Open: > > Object Server: *Security > > Object Type: * *File > > Object Name: * *C:\WINDOWS\SYSVOL\domain\Policies\{0315E207- > > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat > > Handle ID: * * *- > > Operation ID: * {0,81314006} > > Process ID: * * 4 > > Image File Name: > > Primary User Name: * * *DC$ > > Primary Domain: DOMAIN > > Primary Logon ID: * * * (0x0,0x3E7) > > Client User Name: * * * user > > Client Domain: *DOMAIN > > Client Logon ID: * * * *(0x0,0x4D8BED6) > > Accesses: * * * READ_CONTROL > > ReadData (or ListDirectory) > > WriteData (or AddFile) > > AppendData (or AddSubdirectory or > > CreatePipeInstance) > > ReadEA > > WriteEA > > ReadAttributes > > WriteAttributes > > Privileges: * * - > > Restricted Sid Count: * 0 > > Access Mask: * *0x2019F > > [COMPUTER] > > > Event Type: * * Failure Audit > > Event Source: * Security > > Event Category: Object Access > > Event ID: * * * 560 > > Date: * * * * * 2/26/2008 > > Time: * * * * * 7:14:28 AM > > User: * * * * * DOMAIN\WORKSTATION$ > > Computer: * * * DC > > Description: > > Object Open: > > Object Server: *Security > > Object Type: * *File > > Object Name: * *C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311- > > F537-4423- > > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf > > Handle ID: * * *- > > Operation ID: * {0,81342299} > > Process ID: * * 4 > > Image File Name: > > Primary User Name: * * *DC$ > > Primary Domain: DOMAIN > > Primary Logon ID: * * * (0x0,0x3E7) > > Client User Name: * * * WORKSTATION$ > > Client Domain: *DOMAIN > > Client Logon ID: * * * *(0x0,0x4D92D17) > > Accesses: * * * READ_CONTROL > > ReadData (or ListDirectory) > > WriteData (or AddFile) > > AppendData (or AddSubdirectory or > > CreatePipeInstance) > > ReadEA > > WriteEA > > ReadAttributes > > WriteAttributes > > Privileges: * * - > > Restricted Sid Count: * 0 > > Access Mask: * *0x2019F > > This is accompanied by failure audits for each separate logon script > > (startup script in the case of computers, not users). The strange > > thing is that the scripts still run no problem. I'm trying to figure > > out why there are failures getting triggered if the logon/startup > > scripts still run successfully. I checked the NTFS ACL on the > > track_logon.bat referenced in the first event, and it has read and > > read&execute allowed for "authenticated users". > > > Thanks if anyone can provide any more info.- Hide quoted text - > > - Show quoted text - |
|
|
|
|
|||
|
|
|||
|
kcsteele
Guest
Posts: n/a
|
Also the domain was originally NT4 and then upgraded to 2003. Perhaps
there is something lingering from the NT4 domain that is causing the failures audits to be triggered? On Feb 27, 8:50*am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote: > Hello kcsteele, > > You talk about the script. Is in the script an user account configured for > some reason? > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm > > > > > Hi, I'm getting failure audits in the security log of the PDC every > > time a user logs on or a computer refreshes computer policy: > > > [USER] > > > Event Type: * * Failure Audit > > Event Source: * Security > > Event Category: Object Access > > Event ID: * * * 560 > > Date: * * * * * 2/26/2008 > > Time: * * * * * 7:12:15 AM > > User: * * * * * DOMAIN\User > > Computer: * * * DC > > Description: > > Object Open: > > Object Server: *Security > > Object Type: * *File > > Object Name: * *C:\WINDOWS\SYSVOL\domain\Policies\{0315E207- > > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat > > Handle ID: * * *- > > Operation ID: * {0,81314006} > > Process ID: * * 4 > > Image File Name: > > Primary User Name: * * *DC$ > > Primary Domain: DOMAIN > > Primary Logon ID: * * * (0x0,0x3E7) > > Client User Name: * * * user > > Client Domain: *DOMAIN > > Client Logon ID: * * * *(0x0,0x4D8BED6) > > Accesses: * * * READ_CONTROL > > ReadData (or ListDirectory) > > WriteData (or AddFile) > > AppendData (or AddSubdirectory or > > CreatePipeInstance) > > ReadEA > > WriteEA > > ReadAttributes > > WriteAttributes > > Privileges: * * - > > Restricted Sid Count: * 0 > > Access Mask: * *0x2019F > > [COMPUTER] > > > Event Type: * * Failure Audit > > Event Source: * Security > > Event Category: Object Access > > Event ID: * * * 560 > > Date: * * * * * 2/26/2008 > > Time: * * * * * 7:14:28 AM > > User: * * * * * DOMAIN\WORKSTATION$ > > Computer: * * * DC > > Description: > > Object Open: > > Object Server: *Security > > Object Type: * *File > > Object Name: * *C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311- > > F537-4423- > > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf > > Handle ID: * * *- > > Operation ID: * {0,81342299} > > Process ID: * * 4 > > Image File Name: > > Primary User Name: * * *DC$ > > Primary Domain: DOMAIN > > Primary Logon ID: * * * (0x0,0x3E7) > > Client User Name: * * * WORKSTATION$ > > Client Domain: *DOMAIN > > Client Logon ID: * * * *(0x0,0x4D92D17) > > Accesses: * * * READ_CONTROL > > ReadData (or ListDirectory) > > WriteData (or AddFile) > > AppendData (or AddSubdirectory or > > CreatePipeInstance) > > ReadEA > > WriteEA > > ReadAttributes > > WriteAttributes > > Privileges: * * - > > Restricted Sid Count: * 0 > > Access Mask: * *0x2019F > > This is accompanied by failure audits for each separate logon script > > (startup script in the case of computers, not users). The strange > > thing is that the scripts still run no problem. I'm trying to figure > > out why there are failures getting triggered if the logon/startup > > scripts still run successfully. I checked the NTFS ACL on the > > track_logon.bat referenced in the first event, and it has read and > > read&execute allowed for "authenticated users". > > > Thanks if anyone can provide any more info.- Hide quoted text - > > - Show quoted text - |
|
|
|
|
|||
|
|
|||
|
kcsteele
Guest
Posts: n/a
|
bump
thanks On Feb 29, 7:07*am, kcsteele <k.c.ste...@gmail.com> wrote: > Also the domain was originally NT4 and then upgraded to 2003. Perhaps > there is something lingering from the NT4 domain that is causing the > failures audits to be triggered? > > On Feb 27, 8:50*am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote: > > > > > Hello kcsteele, > > > You talk about the script. Is in the script an user account configured for > > some reason? > > > Best regards > > > Meinolf Weber > > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > > no rights. > > ** Please do NOT email, only reply to Newsgroups > > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm > > > > Hi, I'm getting failure audits in the security log of the PDC every > > > time a user logs on or a computer refreshes computer policy: > > > > [USER] > > > > Event Type: * * Failure Audit > > > Event Source: * Security > > > Event Category: Object Access > > > Event ID: * * * 560 > > > Date: * * * * * 2/26/2008 > > > Time: * * * * * 7:12:15 AM > > > User: * * * * * DOMAIN\User > > > Computer: * * * DC > > > Description: > > > Object Open: > > > Object Server: *Security > > > Object Type: * *File > > > Object Name: * *C:\WINDOWS\SYSVOL\domain\Policies\{0315E207- > > > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat > > > Handle ID: * * *- > > > Operation ID: * {0,81314006} > > > Process ID: * * 4 > > > Image File Name: > > > Primary User Name: * * *DC$ > > > Primary Domain: DOMAIN > > > Primary Logon ID: * * * (0x0,0x3E7) > > > Client User Name: * * * user > > > Client Domain: *DOMAIN > > > Client Logon ID: * * * *(0x0,0x4D8BED6) > > > Accesses: * * * READ_CONTROL > > > ReadData (or ListDirectory) > > > WriteData (or AddFile) > > > AppendData (or AddSubdirectory or > > > CreatePipeInstance) > > > ReadEA > > > WriteEA > > > ReadAttributes > > > WriteAttributes > > > Privileges: * * - > > > Restricted Sid Count: * 0 > > > Access Mask: * *0x2019F > > > [COMPUTER] > > > > Event Type: * * Failure Audit > > > Event Source: * Security > > > Event Category: Object Access > > > Event ID: * * * 560 > > > Date: * * * * * 2/26/2008 > > > Time: * * * * * 7:14:28 AM > > > User: * * * * * DOMAIN\WORKSTATION$ > > > Computer: * * * DC > > > Description: > > > Object Open: > > > Object Server: *Security > > > Object Type: * *File > > > Object Name: * *C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311- > > > F537-4423- > > > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf > > > Handle ID: * * *- > > > Operation ID: * {0,81342299} > > > Process ID: * * 4 > > > Image File Name: > > > Primary User Name: * * *DC$ > > > Primary Domain: DOMAIN > > > Primary Logon ID: * * * (0x0,0x3E7) > > > Client User Name: * * * WORKSTATION$ > > > Client Domain: *DOMAIN > > > Client Logon ID: * * * *(0x0,0x4D92D17) > > > Accesses: * * * READ_CONTROL > > > ReadData (or ListDirectory) > > > WriteData (or AddFile) > > > AppendData (or AddSubdirectory or > > > CreatePipeInstance) > > > ReadEA > > > WriteEA > > > ReadAttributes > > > WriteAttributes > > > Privileges: * * - > > > Restricted Sid Count: * 0 > > > Access Mask: * *0x2019F > > > This is accompanied by failure audits for each separate logon script > > > (startup script in the case of computers, not users). The strange > > > thing is that the scripts still run no problem. I'm trying to figure > > > out why there are failures getting triggered if the logon/startup > > > scripts still run successfully. I checked the NTFS ACL on the > > > track_logon.bat referenced in the first event, and it has read and > > > read&execute allowed for "authenticated users". > > > > Thanks if anyone can provide any more info.- Hide quoted text - > > > - Show quoted text -- Hide quoted text - > > - Show quoted text - |
|
|
|
|
|||
|
|
|||
|
kcsteele
Guest
Posts: n/a
|
On Mar 4, 7:53*am, kcsteele <k.c.ste...@gmail.com> wrote:
> bump > > thanks > > On Feb 29, 7:07*am, kcsteele <k.c.ste...@gmail.com> wrote: > > > > > Also the domain was originally NT4 and then upgraded to 2003. Perhaps > > there is something lingering from the NT4 domain that is causing the > > failures audits to be triggered? > > > On Feb 27, 8:50*am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote: > > > > Hello kcsteele, > > > > You talk about the script. Is in the script an user account configuredfor > > > some reason? > > > > Best regards > > > > Meinolf Weber > > > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > > > no rights. > > > ** Please do NOT email, only reply to Newsgroups > > > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm > > > > > Hi, I'm getting failure audits in the security log of the PDC every > > > > time a user logs on or a computer refreshes computer policy: > > > > > [USER] > > > > > Event Type: * * Failure Audit > > > > Event Source: * Security > > > > Event Category: Object Access > > > > Event ID: * * * 560 > > > > Date: * * * * * 2/26/2008 > > > > Time: * * * * * 7:12:15 AM > > > > User: * * * * * DOMAIN\User > > > > Computer: * * * DC > > > > Description: > > > > Object Open: > > > > Object Server: *Security > > > > Object Type: * *File > > > > Object Name: * *C:\WINDOWS\SYSVOL\domain\Policies\{0315E207- > > > > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat > > > > Handle ID: * * *- > > > > Operation ID: * {0,81314006} > > > > Process ID: * * 4 > > > > Image File Name: > > > > Primary User Name: * * *DC$ > > > > Primary Domain: DOMAIN > > > > Primary Logon ID: * * * (0x0,0x3E7) > > > > Client User Name: * * * user > > > > Client Domain: *DOMAIN > > > > Client Logon ID: * * * *(0x0,0x4D8BED6) > > > > Accesses: * * * READ_CONTROL > > > > ReadData (or ListDirectory) > > > > WriteData (or AddFile) > > > > AppendData (or AddSubdirectory or > > > > CreatePipeInstance) > > > > ReadEA > > > > WriteEA > > > > ReadAttributes > > > > WriteAttributes > > > > Privileges: * * - > > > > Restricted Sid Count: * 0 > > > > Access Mask: * *0x2019F > > > > [COMPUTER] > > > > > Event Type: * * Failure Audit > > > > Event Source: * Security > > > > Event Category: Object Access > > > > Event ID: * * * 560 > > > > Date: * * * * * 2/26/2008 > > > > Time: * * * * * 7:14:28 AM > > > > User: * * * * * DOMAIN\WORKSTATION$ > > > > Computer: * * * DC > > > > Description: > > > > Object Open: > > > > Object Server: *Security > > > > Object Type: * *File > > > > Object Name: * *C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311- > > > > F537-4423- > > > > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf > > > > Handle ID: * * *- > > > > Operation ID: * {0,81342299} > > > > Process ID: * * 4 > > > > Image File Name: > > > > Primary User Name: * * *DC$ > > > > Primary Domain: DOMAIN > > > > Primary Logon ID: * * * (0x0,0x3E7) > > > > Client User Name: * * * WORKSTATION$ > > > > Client Domain: *DOMAIN > > > > Client Logon ID: * * * *(0x0,0x4D92D17) > > > > Accesses: * * * READ_CONTROL > > > > ReadData (or ListDirectory) > > > > WriteData (or AddFile) > > > > AppendData (or AddSubdirectory or > > > > CreatePipeInstance) > > > > ReadEA > > > > WriteEA > > > > ReadAttributes > > > > WriteAttributes > > > > Privileges: * * - > > > > Restricted Sid Count: * 0 > > > > Access Mask: * *0x2019F > > > > This is accompanied by failure audits for each separate logon script > > > > (startup script in the case of computers, not users). The strange > > > > thing is that the scripts still run no problem. I'm trying to figure > > > > out why there are failures getting triggered if the logon/startup > > > > scripts still run successfully. I checked the NTFS ACL on the > > > > track_logon.bat referenced in the first event, and it has read and > > > > read&execute allowed for "authenticated users". > > > > > Thanks if anyone can provide any more info.- Hide quoted text - > > > > - Show quoted text -- Hide quoted text - > > > - Show quoted text -- Hide quoted text - > > - Show quoted text - bump |
|
|
|
|
|||
|
|
|||
|
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Nameserver failure in scripts FC5 | dwormuth@post.harvard.edu | Linux Networking | 4 | 04-03-2006 09:47 PM |
| Help with Failure Audits | =?Utf-8?B?Qm9iYnkyOA==?= | Windows Networking | 0 | 11-08-2004 05:31 PM |
| Failure Audits in Event Viewer | =?Utf-8?B?Qm9iYnkyOA==?= | Windows Networking | 2 | 10-29-2004 12:43 PM |
| Failure Audits | =?Utf-8?B?Qm9iYnkyOA==?= | Windows Networking | 6 | 10-08-2004 06:03 PM |
| Failure Audits in 2003 Server | =?Utf-8?B?Qm9iYnkyOA==?= | Windows Networking | 4 | 10-06-2004 03:49 PM |
Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc. |
Linear Mode
