Sign in with
Sign up | Sign in
Your question

Audit Object Access Problem

Last response: in Windows 2000/NT
Share
Anonymous
January 24, 2005 7:52:21 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Good day everyone

I am having a problem with Windows 2000 (and XP) and active directory.
I want to enable the GPO setting "audit object access" and then specify
files and folders on workstations and servers that inherit this setting
from the GPO.

When I enable the above setting, I get thousands of entries in the
event logs every minute, even though there are no files or folders with
auditing enabled on any of the workstations/servers yet.

Here is a sample:
---------------------
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\{29633AC7-C9B6-407B-8FE3-D079B0304CA3}
New Handle ID: 1516
Operation ID: {0,150820847}
Process ID: 1512
Primary User Name: xyzuser
Primary Domain: XYZDMN
Primary Logon ID: (0x0,0x53A05)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes

Privileges -
----------------------
and another:
----------------------
Handle Closed:
Object Server: Security
Handle ID: 1760
Process ID: 1284
----------------------


Even if I reset the auditing on the root of all drives (and set it to
propagate), I still get many thousands of these entries. If I disable
auditing of object access, I get no entries in the security event log
at all.

I don't think this is by design because I haven't seen this before. The
event logs fill up in a couple of minutes even if I set them to 100
MBytes.

Any ideas?

Jason
Anonymous
January 24, 2005 6:32:47 PM

Archived from groups: microsoft.public.win2000.security (More info?)

You will normally get some events even if you do not have any auditing
enabled. You might want to use the free tool dumpsec from SomarSoft to see
if any folder/files are indeed enabled for auditing, possibly from a time in
the past and forgotten about or via Group Policy file system. Also check the
security option on those computers in Local Security Policy to make sure
that "audit access of global system objects" is not enabled. If it is
undefined set it to disabled. --- Steve

http://www.somarsoft.com/ -- link to Dumpsec

"JayJ" <jmcinnes@mighty.co.za> wrote in message
news:1106571141.143914.189390@f14g2000cwb.googlegroups.com...
> Good day everyone
>
> I am having a problem with Windows 2000 (and XP) and active directory.
> I want to enable the GPO setting "audit object access" and then specify
> files and folders on workstations and servers that inherit this setting
> from the GPO.
>
> When I enable the above setting, I get thousands of entries in the
> event logs every minute, even though there are no files or folders with
> auditing enabled on any of the workstations/servers yet.
>
> Here is a sample:
> ---------------------
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: \Device\{29633AC7-C9B6-407B-8FE3-D079B0304CA3}
> New Handle ID: 1516
> Operation ID: {0,150820847}
> Process ID: 1512
> Primary User Name: xyzuser
> Primary Domain: XYZDMN
> Primary Logon ID: (0x0,0x53A05)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses READ_CONTROL
> SYNCHRONIZE
> ReadData (or ListDirectory)
> WriteData (or AddFile)
> AppendData (or AddSubdirectory or CreatePipeInstance)
> ReadEA
> WriteEA
> ReadAttributes
> WriteAttributes
>
> Privileges -
> ----------------------
> and another:
> ----------------------
> Handle Closed:
> Object Server: Security
> Handle ID: 1760
> Process ID: 1284
> ----------------------
>
>
> Even if I reset the auditing on the root of all drives (and set it to
> propagate), I still get many thousands of these entries. If I disable
> auditing of object access, I get no entries in the security event log
> at all.
>
> I don't think this is by design because I haven't seen this before. The
> event logs fill up in a couple of minutes even if I set them to 100
> MBytes.
>
> Any ideas?
>
> Jason
>
Anonymous
January 25, 2005 9:51:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steven

Thanks for the reply.

I'm seeing thousands of entries per minute, even though the option you
describe is disabled (access of global system objects). Do you know
what could be causing entries like
\Device\{29633AC7-C9B6-407B-8FE3-D079B0304CA3} to be audited? 99% of
the entries are these \Device\ ones.

Thanks

Jason
Related resources
Anonymous
January 25, 2005 11:35:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Jason.

I am at a loss as to why you are seeing that many events if auditing of
global objects is disabled and you are sure that no folders are enable for
auditing. For Windows 2000 computers make sure it shows as disabled for
"effective" setting in Local Security Policy. I could understand that a lot
of events would be reported on a domain controller or busy server but not a
workstation. --- Steve


"JayJ" <jmcinnes@mighty.co.za> wrote in message
news:1106664662.041032.49180@f14g2000cwb.googlegroups.com...
> Hi Steven
>
> Thanks for the reply.
>
> I'm seeing thousands of entries per minute, even though the option you
> describe is disabled (access of global system objects). Do you know
> what could be causing entries like
> \Device\{29633AC7-C9B6-407B-8FE3-D079B0304CA3} to be audited? 99% of
> the entries are these \Device\ ones.
>
> Thanks
>
> Jason
>
Anonymous
February 3, 2005 6:46:50 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I eventually came right. After moving the Computer and Username to a
different OU and then moving them back, it started working. Thank you
for your help Steven.
!