Click here to get back home

Failure audits for object access on logon scripts and startup scripts, but clients still run them fine.
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Failure audits for object access on logon scripts and startup scripts, but clients still run them fine. kcsteele 02-27-2008
Posted by kcsteele on March 19, 2008, 7:57 am
Please log in for more thread options
> bump
>
> thanks
>
>
>
>
> > Also the domain was originally NT4 and then upgraded to 2003. Perhaps
> > there is something lingering from the NT4 domain that is causing the
> > failures audits to be triggered?
>
>
> > > Hello kcsteele,
>
> > > You talk about the script. Is in the script an user account configured=
for
> > > some reason?
>
> > > Best regards
>
> > > Meinolf Weber
> > > Disclaimer: This posting is provided "AS IS" with no warranties, and c=
onfers
> > > no rights.
> > > ** Please do NOT email, only reply to Newsgroups
> > > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > > > Hi, I'm getting failure audits in the security log of the PDC every
> > > > time a user logs on or a computer refreshes computer policy:
>
> > > > [USER]
>
> > > > Event Type: =A0 =A0 Failure Audit
> > > > Event Source: =A0 Security
> > > > Event Category: Object Access
> > > > Event ID: =A0 =A0 =A0 560
> > > > Date: =A0 =A0 =A0 =A0 =A0 2/26/2008
> > > > Time: =A0 =A0 =A0 =A0 =A0 7:12:15 AM
> > > > User: =A0 =A0 =A0 =A0 =A0 DOMAIN\User
> > > > Computer: =A0 =A0 =A0 DC
> > > > Description:
> > > > Object Open:
> > > > Object Server: =A0Security
> > > > Object Type: =A0 =A0File
> > > > Object Name: =A0 =A0C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
> > > > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
> > > > Handle ID: =A0 =A0 =A0-
> > > > Operation ID: =A0
> > > > Process ID: =A0 =A0 4
> > > > Image File Name:
> > > > Primary User Name: =A0 =A0 =A0DC$
> > > > Primary Domain: DOMAIN
> > > > Primary Logon ID: =A0 =A0 =A0 (0x0,0x3E7)
> > > > Client User Name: =A0 =A0 =A0 user
> > > > Client Domain: =A0DOMAIN
> > > > Client Logon ID: =A0 =A0 =A0 =A0(0x0,0x4D8BED6)
> > > > Accesses: =A0 =A0 =A0 READ_CONTROL
> > > > ReadData (or ListDirectory)
> > > > WriteData (or AddFile)
> > > > AppendData (or AddSubdirectory or
> > > > CreatePipeInstance)
> > > > ReadEA
> > > > WriteEA
> > > > ReadAttributes
> > > > WriteAttributes
> > > > Privileges: =A0 =A0 -
> > > > Restricted Sid Count: =A0 0
> > > > Access Mask: =A0 =A00x2019F
> > > > [COMPUTER]
>
> > > > Event Type: =A0 =A0 Failure Audit
> > > > Event Source: =A0 Security
> > > > Event Category: Object Access
> > > > Event ID: =A0 =A0 =A0 560
> > > > Date: =A0 =A0 =A0 =A0 =A0 2/26/2008
> > > > Time: =A0 =A0 =A0 =A0 =A0 7:14:28 AM
> > > > User: =A0 =A0 =A0 =A0 =A0 DOMAIN\WORKSTATION$
> > > > Computer: =A0 =A0 =A0 DC
> > > > Description:
> > > > Object Open:
> > > > Object Server: =A0Security
> > > > Object Type: =A0 =A0File
> > > > Object Name: =A0 =A0C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
> > > > F537-4423-
> > > > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
> > > > Handle ID: =A0 =A0 =A0-
> > > > Operation ID: =A0
> > > > Process ID: =A0 =A0 4
> > > > Image File Name:
> > > > Primary User Name: =A0 =A0 =A0DC$
> > > > Primary Domain: DOMAIN
> > > > Primary Logon ID: =A0 =A0 =A0 (0x0,0x3E7)
> > > > Client User Name: =A0 =A0 =A0 WORKSTATION$
> > > > Client Domain: =A0DOMAIN
> > > > Client Logon ID: =A0 =A0 =A0 =A0(0x0,0x4D92D17)
> > > > Accesses: =A0 =A0 =A0 READ_CONTROL
> > > > ReadData (or ListDirectory)
> > > > WriteData (or AddFile)
> > > > AppendData (or AddSubdirectory or
> > > > CreatePipeInstance)
> > > > ReadEA
> > > > WriteEA
> > > > ReadAttributes
> > > > WriteAttributes
> > > > Privileges: =A0 =A0 -
> > > > Restricted Sid Count: =A0 0
> > > > Access Mask: =A0 =A00x2019F
> > > > This is accompanied by failure audits for each separate logon script=

> > > > (startup script in the case of computers, not users). The strange
> > > > thing is that the scripts still run no problem. I'm trying to figure=

> > > > out why there are failures getting triggered if the logon/startup
> > > > scripts still run successfully. I checked the NTFS ACL on the
> > > > track_logon.bat referenced in the first event, and it has read and
> > > > read&execute allowed for "authenticated users".
>
> > > > Thanks if anyone can provide any more info.- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

bump

Similar ThreadsPosted
Object Access Failure Audit June 12, 2006, 10:37 am
Object Access failure shows up when users open their own files?? October 2, 2007, 11:33 am
Object Access failure shows up when users open their own files?? October 2, 2007, 11:51 am
MSDTC Security Log Failure Audits October 29, 2005, 6:41 pm
Security Failure Audits - hackers? March 16, 2006, 5:28 am
Grant Object Access August 19, 2005, 4:52 pm
There are currently no logon servers available to service the logon request - how to fix this error? i get it when trying to access a share one hop away. April 12, 2007, 6:03 pm
custom Startup Items launcher August 9, 2007, 7:33 am
Changing machine startup sequence in the registry June 2, 2005, 1:35 pm
vPN:Everything was working fine till I changed the RADIUS Key September 5, 2005, 2:03 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap