Solved

Event Log...Event ID 560

Posted on 2000-05-15
3
610 Views
Last Modified: 2013-12-28
Can anyone shed a little light on what this means?

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      560
Date:            5/9/2000
Time:            11:20:12 AM
User:            COSMOS\smithd
Computer:      THOR
Description:
Object Open:
       Object Server:      Security Account Manager
       Object Type:      SAM_DOMAIN
       Object Name:      COSMOS
       New Handle ID:      -
       Operation ID:      {0,11019822}
       Process ID:      2162919808
       Primary User Name:      SYSTEM
       Primary Domain:      NT AUTHORITY
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      smithd
       Client Domain:      COSMOS
       Client Logon ID:      (0x0,0xA8260B)
       Accesses            ReadPasswordParameters
            WritePasswordParameters
            CreateLocalGroup
            GetLocalGroupMembership
            ListAccounts
            LookupIDs
            
       Privileges            -
 
0
Comment
Question by:devault
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 2811999
It sounds like someboby is trying to Access the SAM ( security database ) and read passwords and other info.
They might be gathering info to try and crack the Admin passwords, or it could be a back door Virus gathering info about your system.
in any case, I would take it seriously !!

0
 
LVL 86

Accepted Solution

by:
jkr earned 200 total points
ID: 2812075
From the actions mentioned in the record, it's most likely that 'smithd' tried to use the user manager without having the privileges to do so - see http://support.microsoft.com/support/kb/articles/Q174/0/74.ASP ("Security Event Descriptions")
0
 

Author Comment

by:devault
ID: 2812284
I didn't see anything real pertinent on Microsoft's page, but I did log in w/ an account that didn't have sufficient privileges and tried to use the User Manager to view the members of the Domain Admins group for the domain and got exactly the same results.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPC$ Password 13 57
Copy one row (from Word) into one cell 14 50
Backup Software for Windows 7 9 67
2012R2 Foundation license compliance 3 42
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question