pbuch
asked on
Set ACLs of members in administrators groups
I'm running a Windows 2003 Domain Controller which is logging this event for several users who are not in any administrators group. Here is the security log entry of the DC called TS69.ts.tengo.com(names changed)
Source: Security
Category: Account Managment
Type: Success A
Event Id: 684
User: NT AUHTHORITY\ANONYMOUS LOGON
Computer: TS69
Set ACLs of members in administrators groups:
Target Account Name: Cmayz
Target Domain: DC=ts,DC=tengo,DC=com
Target Account ID: DOMAIN\Cmayz
Caller User Name: TS69$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Any ideas why non adaministrators are showing up in the log. Infact no actual administrators show up with this Event ID: 684. I did some research on the event ID and this is what Microsoft says:
Event: 684
Set the security descriptor security descriptor
A data structure that contains security information associated with a protected object. Security descriptors include information about who owns the object, who can access it and in what way, and what types of access are audited.of members of administrative groups.
Note: Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.
Source: Security
Category: Account Managment
Type: Success A
Event Id: 684
User: NT AUHTHORITY\ANONYMOUS LOGON
Computer: TS69
Set ACLs of members in administrators groups:
Target Account Name: Cmayz
Target Domain: DC=ts,DC=tengo,DC=com
Target Account ID: DOMAIN\Cmayz
Caller User Name: TS69$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Any ideas why non adaministrators are showing up in the log. Infact no actual administrators show up with this Event ID: 684. I did some research on the event ID and this is what Microsoft says:
Event: 684
Set the security descriptor security descriptor
A data structure that contains security information associated with a protected object. Security descriptors include information about who owns the object, who can access it and in what way, and what types of access are audited.of members of administrative groups.
Note: Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.
ASKER
Here is the Default Domain Controllers Policy auditing settings? Why?
Audit account logons events Failure
Aduit Account managemnt Success,Failure
Audit directory service access No auditing
Audit logon events Failure
Audit object access Failure
Audit policy change Success, Failure
Audit privilege use No auditing
Audit process tracking No auditing
Audit system events Success Failure
Audit account logons events Failure
Aduit Account managemnt Success,Failure
Audit directory service access No auditing
Audit logon events Failure
Audit object access Failure
Audit policy change Success, Failure
Audit privilege use No auditing
Audit process tracking No auditing
Audit system events Success Failure
OK, found it - no more gray hair ... apparently this is normal for W2K3 - from MS:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/reskit/prnf_msg_zzss.asp
**************************
684 Set the security descriptor of members of administrative groups.
Parameters: Domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_SECURE_ADMIN_GR
Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.
cheers
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/reskit/prnf_msg_zzss.asp
**************************
684 Set the security descriptor of members of administrative groups.
Parameters: Domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_SECURE_ADMIN_GR
Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.
cheers
pbuch,
Any status? Did the above validated your issue?
Thanks / Gnart
Any status? Did the above validated your issue?
Thanks / Gnart
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is the actual MS solution
Event ID 684 is logged every 60 minutes on a PDC emulator after you raise the forest functional level to Windows Server 2003 at http://support.microsoft.com/kb/926096/en-us
Within this article is a link that takes you to the fix I aplied for the same problem located here
Delegated permissions are not available and inheritance is automatically disabled http://support.microsoft.com/kb/817433/
Read this carefully to make sure this applies to yur stiuation.
I used workaround method 2
Event ID 684 is logged every 60 minutes on a PDC emulator after you raise the forest functional level to Windows Server 2003 at http://support.microsoft.com/kb/926096/en-us
Within this article is a link that takes you to the fix I aplied for the same problem located here
Delegated permissions are not available and inheritance is automatically disabled http://support.microsoft.com/kb/817433/
Read this carefully to make sure this applies to yur stiuation.
I used workaround method 2
cheers