audit

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I audit to logons...can someone tell me what they mean?

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 11/15/2004
Time: 5:02:22 PM
User: domain\user1
Computer: machinename
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0xE15B34)
Privileges: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 11/15/2004
Time: 5:02:22 PM
User: domain/user1
Computer: CIL-132
Description:
Privileged object operation:
Object Server: SC Manager
Object Handle: -312443664
Process ID: 1068
Primary User Name: machinename$
Primary Domain: domainname
Primary Logon ID: (0x0,0x3E7)
Client User Name: dheckel
Client Domain: domainname
Client Logon ID: (0x0,0xE15B34)
Privileges: SeTakeOwnershipPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


--
_____
DC G

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

The SeChangeNotifyPrivilege is the "Bypass Traverse Checking" user right
The SeTakeOwnershipPrivilege allows users assigned this privelege to take
ownership of any and all files and folders. The "Bypass Traverse Checking"
right is granted to all users by default. The Take Ownership right is
granted to Administrators by default

See the following URL for the SeChangeNotifyPrivilege:
http://www.mcse.ms/message1206960.html

"DC beloved patriot" wrote:

> I audit to logons...can someone tell me what they mean?
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Privilege Use
> Event ID: 576
> Date: 11/15/2004
> Time: 5:02:22 PM
> User: domain\user1
> Computer: machinename
> Description:
> Special privileges assigned to new logon:
> User Name:
> Domain:
> Logon ID: (0x0,0xE15B34)
> Privileges: SeChangeNotifyPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeDebugPrivilege
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Privilege Use
> Event ID: 578
> Date: 11/15/2004
> Time: 5:02:22 PM
> User: domain/user1
> Computer: CIL-132
> Description:
> Privileged object operation:
> Object Server: SC Manager
> Object Handle: -312443664
> Process ID: 1068
> Primary User Name: machinename$
> Primary Domain: domainname
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: dheckel
> Client Domain: domainname
> Client Logon ID: (0x0,0xE15B34)
> Privileges: SeTakeOwnershipPrivilege
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> --
> _____
> DC G
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

That indicates that user1 successfully exercised some user rights.
Particularly looks like that user did a backup and or restore operation.
Auditing of privilege use displays when a user used or attempted to use a
user right. The user rights for a computer are shown in the Local Security
Policy under security settings/local policies/user rights. For Windows 2000
the effective user right may differ from the local setting if the computer
is a domain member. --- Steve



"DC beloved patriot" <dcgringo@visiontechnology.net> wrote in message
news:%23kVGpEAzEHA.3908@TK2MSFTNGP12.phx.gbl...
>I audit to logons...can someone tell me what they mean?
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Privilege Use
> Event ID: 576
> Date: 11/15/2004
> Time: 5:02:22 PM
> User: domain\user1
> Computer: machinename
> Description:
> Special privileges assigned to new logon:
> User Name:
> Domain:
> Logon ID: (0x0,0xE15B34)
> Privileges: SeChangeNotifyPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeDebugPrivilege
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Privilege Use
> Event ID: 578
> Date: 11/15/2004
> Time: 5:02:22 PM
> User: domain/user1
> Computer: CIL-132
> Description:
> Privileged object operation:
> Object Server: SC Manager
> Object Handle: -312443664
> Process ID: 1068
> Primary User Name: machinename$
> Primary Domain: domainname
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: dheckel
> Client Domain: domainname
> Client Logon ID: (0x0,0xE15B34)
> Privileges: SeTakeOwnershipPrivilege
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> --
> _____
> DC G
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,
This website should also prove useful for your question.

http://www.microsoft.com/technet/support/eventserrors.mspx


This posting is provided "AS IS" with no warranties, and confers no rights.