ljtxoov
asked on
How to resolve event id 578?
I kept getting this event 578 on my security log. I set the log size to 128MB and it will fill this log in about 10 minutes therefore leaving no room to log other activities that really want. So how do I resolve this problem? Below is the actual log:
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 12/12/2005
Time: 8:50:59 AM
User: myDC_Server\administrator_ account
Computer: DC_Server_Name
Description:
Privileged object operation:
Object Server: Security
Object Handle: 1168
Process ID: 4120
Primary User Name: administrator_account
Primary Domain: myDC_Server
Primary Logon ID: (0x0,0x30BBC)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTakeOwnershipPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I have tried disabled all the event audits and I still get this event so I'm not sure where it's coming from and how to restrict it.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 12/12/2005
Time: 8:50:59 AM
User: myDC_Server\administrator_
Computer: DC_Server_Name
Description:
Privileged object operation:
Object Server: Security
Object Handle: 1168
Process ID: 4120
Primary User Name: administrator_account
Primary Domain: myDC_Server
Primary Logon ID: (0x0,0x30BBC)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTakeOwnershipPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I have tried disabled all the event audits and I still get this event so I'm not sure where it's coming from and how to restrict it.
ASKER
Thank you for your response. This is what I have currently on my domain server.
under Default Domain Policy
in Local Policies/Audit Policy:
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit logon events Success, Failure
Audit policy change Success, Failure
Audit process tracking No auditing
Audit system events Success, Failure
under Default Domain Controllers Policy
in Local Policies/Audit Policy:
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit logon events Success, Failure
Audit policy change Success, Failure
Audit process tracking No auditing
Audit system events Success, Failure
There is no Local Security Policy on the DC server.
under Default Domain Policy
in Local Policies/Audit Policy:
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit logon events Success, Failure
Audit policy change Success, Failure
Audit process tracking No auditing
Audit system events Success, Failure
under Default Domain Controllers Policy
in Local Policies/Audit Policy:
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit logon events Success, Failure
Audit policy change Success, Failure
Audit process tracking No auditing
Audit system events Success, Failure
There is no Local Security Policy on the DC server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't think it is corrupted. What I showed you is from the group policy management. If I open up the Group Object Editor, I see that it's all there. The reason why Audit directory service, Audit object access, and Audit privilege use is not showing up in group policy management is because I set it to Not Define. Shoul I set it to Not Auditing? What's the difference? Is not define mean it is still auditing and that is why I kept getting the event id 578?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For now, I'll say the event 578 has stopped when I set it to No Aduit. I'll split the points among you too since I first got the idea from Jeff's example but a lot more details and explanations on the difference between No Audit and Not Defined.
By the way, how do I go about finding what triggers the event?
By the way, how do I go about finding what triggers the event?
I would check all possible levels where this may be turned on, and also, ensure that there is no Group Policy that sets it back on after you manually disable it.
So, check Domain Controller Security Policy, then the Domain Security Policy and then Local Security Policy.
Also, check GPOs that may be applying to the OU...