Click here to get back home

Failure audits for object access on logon scripts and startup scripts, but clients still run them fine.
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Failure audits for object access on logon scripts and startup scripts, but clients still run them fine. kcsteele 02-27-2008
Posted by kcsteele on February 27, 2008, 7:40 am
Please log in for more thread options
 Hi, I'm getting failure audits in the security log of the PDC every
time a user logs on or a computer refreshes computer policy:

[USER]


Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/26/2008
Time: 7:12:15 AM
User: DOMAIN\User
Computer: DC
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
Handle ID: -
Operation ID:
Process ID: 4
Image File Name:
Primary User Name: DC$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: user
Client Domain: DOMAIN
Client Logon ID: (0x0,0x4D8BED6)
Accesses: READ_CONTROL
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or
CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes


Privileges: -
Restricted Sid Count: 0
Access Mask: 0x2019F


[COMPUTER]


Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/26/2008
Time: 7:14:28 AM
User: DOMAIN\WORKSTATION$
Computer: DC
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
F537-4423-
A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
Handle ID: -
Operation ID:
Process ID: 4
Image File Name:
Primary User Name: DC$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: WORKSTATION$
Client Domain: DOMAIN
Client Logon ID: (0x0,0x4D92D17)
Accesses: READ_CONTROL
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or
CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes


Privileges: -
Restricted Sid Count: 0
Access Mask: 0x2019F


This is accompanied by failure audits for each separate logon script
(startup script in the case of computers, not users). The strange
thing is that the scripts still run no problem. I'm trying to figure
out why there are failures getting triggered if the logon/startup
scripts still run successfully. I checked the NTFS ACL on the
track_logon.bat referenced in the first event, and it has read and
read&execute allowed for "authenticated users".


Thanks if anyone can provide any more info.

Posted by Meinolf Weber on February 27, 2008, 8:50 am
Please log in for more thread options
 Hello kcsteele,

You talk about the script. Is in the script an user account configured for
some reason?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi, I'm getting failure audits in the security log of the PDC every
> time a user logs on or a computer refreshes computer policy:
>
> [USER]
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 2/26/2008
> Time: 7:12:15 AM
> User: DOMAIN\User
> Computer: DC
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
> FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
> Handle ID: -
> Operation ID:
> Process ID: 4
> Image File Name:
> Primary User Name: DC$
> Primary Domain: DOMAIN
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: user
> Client Domain: DOMAIN
> Client Logon ID: (0x0,0x4D8BED6)
> Accesses: READ_CONTROL
> ReadData (or ListDirectory)
> WriteData (or AddFile)
> AppendData (or AddSubdirectory or
> CreatePipeInstance)
> ReadEA
> WriteEA
> ReadAttributes
> WriteAttributes
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x2019F
> [COMPUTER]
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 2/26/2008
> Time: 7:14:28 AM
> User: DOMAIN\WORKSTATION$
> Computer: DC
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
> F537-4423-
> A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
> Handle ID: -
> Operation ID:
> Process ID: 4
> Image File Name:
> Primary User Name: DC$
> Primary Domain: DOMAIN
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: WORKSTATION$
> Client Domain: DOMAIN
> Client Logon ID: (0x0,0x4D92D17)
> Accesses: READ_CONTROL
> ReadData (or ListDirectory)
> WriteData (or AddFile)
> AppendData (or AddSubdirectory or
> CreatePipeInstance)
> ReadEA
> WriteEA
> ReadAttributes
> WriteAttributes
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x2019F
> This is accompanied by failure audits for each separate logon script
> (startup script in the case of computers, not users). The strange
> thing is that the scripts still run no problem. I'm trying to figure
> out why there are failures getting triggered if the logon/startup
> scripts still run successfully. I checked the NTFS ACL on the
> track_logon.bat referenced in the first event, and it has read and
> read&execute allowed for "authenticated users".
>
> Thanks if anyone can provide any more info.
>



Posted by kcsteele on February 29, 2008, 7:06 am
Please log in for more thread options
Hi Meinolf,

They are just logon scripts assigned via GPO that do simple things
like append to a .txt file the time that the person logged in (you
will see in my original post the event references "track_logon.bat").
However, notice the other event I posted, you will see that it is a
machine attempting to refresh machine group policy, which also
generates a failure audit. Regardless the users and machines all
receive their policies and run the scripts OK, so I'm confused as to
why the failure audits are being triggered.

> Hello kcsteele,
>
> You talk about the script. Is in the script an user account configured for=

> some reason?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confe=
rs
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>
> > Hi, I'm getting failure audits in the security log of the PDC every
> > time a user logs on or a computer refreshes computer policy:
>
> > [USER]
>
> > Event Type: =A0 =A0 Failure Audit
> > Event Source: =A0 Security
> > Event Category: Object Access
> > Event ID: =A0 =A0 =A0 560
> > Date: =A0 =A0 =A0 =A0 =A0 2/26/2008
> > Time: =A0 =A0 =A0 =A0 =A0 7:12:15 AM
> > User: =A0 =A0 =A0 =A0 =A0 DOMAIN\User
> > Computer: =A0 =A0 =A0 DC
> > Description:
> > Object Open:
> > Object Server: =A0Security
> > Object Type: =A0 =A0File
> > Object Name: =A0 =A0C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
> > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
> > Handle ID: =A0 =A0 =A0-
> > Operation ID: =A0
> > Process ID: =A0 =A0 4
> > Image File Name:
> > Primary User Name: =A0 =A0 =A0DC$
> > Primary Domain: DOMAIN
> > Primary Logon ID: =A0 =A0 =A0 (0x0,0x3E7)
> > Client User Name: =A0 =A0 =A0 user
> > Client Domain: =A0DOMAIN
> > Client Logon ID: =A0 =A0 =A0 =A0(0x0,0x4D8BED6)
> > Accesses: =A0 =A0 =A0 READ_CONTROL
> > ReadData (or ListDirectory)
> > WriteData (or AddFile)
> > AppendData (or AddSubdirectory or
> > CreatePipeInstance)
> > ReadEA
> > WriteEA
> > ReadAttributes
> > WriteAttributes
> > Privileges: =A0 =A0 -
> > Restricted Sid Count: =A0 0
> > Access Mask: =A0 =A00x2019F
> > [COMPUTER]
>
> > Event Type: =A0 =A0 Failure Audit
> > Event Source: =A0 Security
> > Event Category: Object Access
> > Event ID: =A0 =A0 =A0 560
> > Date: =A0 =A0 =A0 =A0 =A0 2/26/2008
> > Time: =A0 =A0 =A0 =A0 =A0 7:14:28 AM
> > User: =A0 =A0 =A0 =A0 =A0 DOMAIN\WORKSTATION$
> > Computer: =A0 =A0 =A0 DC
> > Description:
> > Object Open:
> > Object Server: =A0Security
> > Object Type: =A0 =A0File
> > Object Name: =A0 =A0C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
> > F537-4423-
> > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
> > Handle ID: =A0 =A0 =A0-
> > Operation ID: =A0
> > Process ID: =A0 =A0 4
> > Image File Name:
> > Primary User Name: =A0 =A0 =A0DC$
> > Primary Domain: DOMAIN
> > Primary Logon ID: =A0 =A0 =A0 (0x0,0x3E7)
> > Client User Name: =A0 =A0 =A0 WORKSTATION$
> > Client Domain: =A0DOMAIN
> > Client Logon ID: =A0 =A0 =A0 =A0(0x0,0x4D92D17)
> > Accesses: =A0 =A0 =A0 READ_CONTROL
> > ReadData (or ListDirectory)
> > WriteData (or AddFile)
> > AppendData (or AddSubdirectory or
> > CreatePipeInstance)
> > ReadEA
> > WriteEA
> > ReadAttributes
> > WriteAttributes
> > Privileges: =A0 =A0 -
> > Restricted Sid Count: =A0 0
> > Access Mask: =A0 =A00x2019F
> > This is accompanied by failure audits for each separate logon script
> > (startup script in the case of computers, not users). The strange
> > thing is that the scripts still run no problem. I'm trying to figure
> > out why there are failures getting triggered if the logon/startup
> > scripts still run successfully. I checked the NTFS ACL on the
> > track_logon.bat referenced in the first event, and it has read and
> > read&execute allowed for "authenticated users".
>
> > Thanks if anyone can provide any more info.- Hide quoted text -
>
> - Show quoted text -


Posted by kcsteele on February 29, 2008, 7:07 am
Please log in for more thread options
Also the domain was originally NT4 and then upgraded to 2003. Perhaps
there is something lingering from the NT4 domain that is causing the
failures audits to be triggered?

> Hello kcsteele,
>
> You talk about the script. Is in the script an user account configured for=

> some reason?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confe=
rs
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>
> > Hi, I'm getting failure audits in the security log of the PDC every
> > time a user logs on or a computer refreshes computer policy:
>
> > [USER]
>
> > Event Type: =A0 =A0 Failure Audit
> > Event Source: =A0 Security
> > Event Category: Object Access
> > Event ID: =A0 =A0 =A0 560
> > Date: =A0 =A0 =A0 =A0 =A0 2/26/2008
> > Time: =A0 =A0 =A0 =A0 =A0 7:12:15 AM
> > User: =A0 =A0 =A0 =A0 =A0 DOMAIN\User
> > Computer: =A0 =A0 =A0 DC
> > Description:
> > Object Open:
> > Object Server: =A0Security
> > Object Type: =A0 =A0File
> > Object Name: =A0 =A0C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
> > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
> > Handle ID: =A0 =A0 =A0-
> > Operation ID: =A0
> > Process ID: =A0 =A0 4
> > Image File Name:
> > Primary User Name: =A0 =A0 =A0DC$
> > Primary Domain: DOMAIN
> > Primary Logon ID: =A0 =A0 =A0 (0x0,0x3E7)
> > Client User Name: =A0 =A0 =A0 user
> > Client Domain: =A0DOMAIN
> > Client Logon ID: =A0 =A0 =A0 =A0(0x0,0x4D8BED6)
> > Accesses: =A0 =A0 =A0 READ_CONTROL
> > ReadData (or ListDirectory)
> > WriteData (or AddFile)
> > AppendData (or AddSubdirectory or
> > CreatePipeInstance)
> > ReadEA
> > WriteEA
> > ReadAttributes
> > WriteAttributes
> > Privileges: =A0 =A0 -
> > Restricted Sid Count: =A0 0
> > Access Mask: =A0 =A00x2019F
> > [COMPUTER]
>
> > Event Type: =A0 =A0 Failure Audit
> > Event Source: =A0 Security
> > Event Category: Object Access
> > Event ID: =A0 =A0 =A0 560
> > Date: =A0 =A0 =A0 =A0 =A0 2/26/2008
> > Time: =A0 =A0 =A0 =A0 =A0 7:14:28 AM
> > User: =A0 =A0 =A0 =A0 =A0 DOMAIN\WORKSTATION$
> > Computer: =A0 =A0 =A0 DC
> > Description:
> > Object Open:
> > Object Server: =A0Security
> > Object Type: =A0 =A0File
> > Object Name: =A0 =A0C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
> > F537-4423-
> > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
> > Handle ID: =A0 =A0 =A0-
> > Operation ID: =A0
> > Process ID: =A0 =A0 4
> > Image File Name:
> > Primary User Name: =A0 =A0 =A0DC$
> > Primary Domain: DOMAIN
> > Primary Logon ID: =A0 =A0 =A0 (0x0,0x3E7)
> > Client User Name: =A0 =A0 =A0 WORKSTATION$
> > Client Domain: =A0DOMAIN
> > Client Logon ID: =A0 =A0 =A0 =A0(0x0,0x4D92D17)
> > Accesses: =A0 =A0 =A0 READ_CONTROL
> > ReadData (or ListDirectory)
> > WriteData (or AddFile)
> > AppendData (or AddSubdirectory or
> > CreatePipeInstance)
> > ReadEA
> > WriteEA
> > ReadAttributes
> > WriteAttributes
> > Privileges: =A0 =A0 -
> > Restricted Sid Count: =A0 0
> > Access Mask: =A0 =A00x2019F
> > This is accompanied by failure audits for each separate logon script
> > (startup script in the case of computers, not users). The strange
> > thing is that the scripts still run no problem. I'm trying to figure
> > out why there are failures getting triggered if the logon/startup
> > scripts still run successfully. I checked the NTFS ACL on the
> > track_logon.bat referenced in the first event, and it has read and
> > read&execute allowed for "authenticated users".
>
> > Thanks if anyone can provide any more info.- Hide quoted text -
>
> - Show quoted text -


Posted by kcsteele on March 4, 2008, 6:53 am
Please log in for more thread options
bump

thanks

> Also the domain was originally NT4 and then upgraded to 2003. Perhaps
> there is something lingering from the NT4 domain that is causing the
> failures audits to be triggered?
>
>
>
>
> > Hello kcsteele,
>
> > You talk about the script. Is in the script an user account configured f=
or
> > some reason?
>
> > Best regards
>
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and con=
fers
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > > Hi, I'm getting failure audits in the security log of the PDC every
> > > time a user logs on or a computer refreshes computer policy:
>
> > > [USER]
>
> > > Event Type: =A0 =A0 Failure Audit
> > > Event Source: =A0 Security
> > > Event Category: Object Access
> > > Event ID: =A0 =A0 =A0 560
> > > Date: =A0 =A0 =A0 =A0 =A0 2/26/2008
> > > Time: =A0 =A0 =A0 =A0 =A0 7:12:15 AM
> > > User: =A0 =A0 =A0 =A0 =A0 DOMAIN\User
> > > Computer: =A0 =A0 =A0 DC
> > > Description:
> > > Object Open:
> > > Object Server: =A0Security
> > > Object Type: =A0 =A0File
> > > Object Name: =A0 =A0C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
> > > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
> > > Handle ID: =A0 =A0 =A0-
> > > Operation ID: =A0
> > > Process ID: =A0 =A0 4
> > > Image File Name:
> > > Primary User Name: =A0 =A0 =A0DC$
> > > Primary Domain: DOMAIN
> > > Primary Logon ID: =A0 =A0 =A0 (0x0,0x3E7)
> > > Client User Name: =A0 =A0 =A0 user
> > > Client Domain: =A0DOMAIN
> > > Client Logon ID: =A0 =A0 =A0 =A0(0x0,0x4D8BED6)
> > > Accesses: =A0 =A0 =A0 READ_CONTROL
> > > ReadData (or ListDirectory)
> > > WriteData (or AddFile)
> > > AppendData (or AddSubdirectory or
> > > CreatePipeInstance)
> > > ReadEA
> > > WriteEA
> > > ReadAttributes
> > > WriteAttributes
> > > Privileges: =A0 =A0 -
> > > Restricted Sid Count: =A0 0
> > > Access Mask: =A0 =A00x2019F
> > > [COMPUTER]
>
> > > Event Type: =A0 =A0 Failure Audit
> > > Event Source: =A0 Security
> > > Event Category: Object Access
> > > Event ID: =A0 =A0 =A0 560
> > > Date: =A0 =A0 =A0 =A0 =A0 2/26/2008
> > > Time: =A0 =A0 =A0 =A0 =A0 7:14:28 AM
> > > User: =A0 =A0 =A0 =A0 =A0 DOMAIN\WORKSTATION$
> > > Computer: =A0 =A0 =A0 DC
> > > Description:
> > > Object Open:
> > > Object Server: =A0Security
> > > Object Type: =A0 =A0File
> > > Object Name: =A0 =A0C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
> > > F537-4423-
> > > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
> > > Handle ID: =A0 =A0 =A0-
> > > Operation ID: =A0
> > > Process ID: =A0 =A0 4
> > > Image File Name:
> > > Primary User Name: =A0 =A0 =A0DC$
> > > Primary Domain: DOMAIN
> > > Primary Logon ID: =A0 =A0 =A0 (0x0,0x3E7)
> > > Client User Name: =A0 =A0 =A0 WORKSTATION$
> > > Client Domain: =A0DOMAIN
> > > Client Logon ID: =A0 =A0 =A0 =A0(0x0,0x4D92D17)
> > > Accesses: =A0 =A0 =A0 READ_CONTROL
> > > ReadData (or ListDirectory)
> > > WriteData (or AddFile)
> > > AppendData (or AddSubdirectory or
> > > CreatePipeInstance)
> > > ReadEA
> > > WriteEA
> > > ReadAttributes
> > > WriteAttributes
> > > Privileges: =A0 =A0 -
> > > Restricted Sid Count: =A0 0
> > > Access Mask: =A0 =A00x2019F
> > > This is accompanied by failure audits for each separate logon script
> > > (startup script in the case of computers, not users). The strange
> > > thing is that the scripts still run no problem. I'm trying to figure
> > > out why there are failures getting triggered if the logon/startup
> > > scripts still run successfully. I checked the NTFS ACL on the
> > > track_logon.bat referenced in the first event, and it has read and
> > > read&execute allowed for "authenticated users".
>
> > > Thanks if anyone can provide any more info.- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -


Similar ThreadsPosted
Object Access Failure Audit June 12, 2006, 10:37 am
Object Access failure shows up when users open their own files?? October 2, 2007, 11:33 am
Object Access failure shows up when users open their own files?? October 2, 2007, 11:51 am
MSDTC Security Log Failure Audits October 29, 2005, 6:41 pm
Security Failure Audits - hackers? March 16, 2006, 5:28 am
Grant Object Access August 19, 2005, 4:52 pm
There are currently no logon servers available to service the logon request - how to fix this error? i get it when trying to access a share one hop away. April 12, 2007, 6:03 pm
custom Startup Items launcher August 9, 2007, 7:33 am
Changing machine startup sequence in the registry June 2, 2005, 1:35 pm
vPN:Everything was working fine till I changed the RADIUS Key September 5, 2005, 2:03 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap