Link to home
Start Free TrialLog in
Avatar of ljtxoov
ljtxoov

asked on

How to resolve event id 578?

I kept getting this event 578 on my security log. I set the log size to 128MB and it will fill this log in about 10 minutes therefore leaving no room to log other activities that really want. So how do I resolve this problem? Below is the actual log:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      578
Date:            12/12/2005
Time:            8:50:59 AM
User:            myDC_Server\administrator_account
Computer:      DC_Server_Name
Description:
Privileged object operation:
       Object Server:      Security
       Object Handle:      1168
       Process ID:      4120
       Primary User Name:      administrator_account
       Primary Domain:      myDC_Server
       Primary Logon ID:      (0x0,0x30BBC)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Privileges:      SeTakeOwnershipPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I have tried disabled all the event audits and I still get this event so I'm not sure where it's coming from and how to restrict it.
Avatar of JMMI
JMMI
Looks like Audit Privilege Usage is still turned on...

I would check all possible levels where this may be turned on, and also, ensure that there is no Group Policy that sets it back on after you manually disable it.
So, check Domain Controller Security Policy, then the Domain Security Policy and then Local Security Policy.

Also, check GPOs that may be applying to the OU...
Avatar of ljtxoov
ljtxoov

ASKER

Thank you for your response. This is what I have currently on my domain server.

under Default Domain Policy

in Local Policies/Audit Policy:

Audit account logon events       Success, Failure
Audit account management       Success, Failure
Audit logon events             Success, Failure
Audit policy change             Success, Failure
Audit process tracking             No auditing
Audit system events             Success, Failure

under Default Domain Controllers Policy

in Local Policies/Audit Policy:

Audit account logon events       Success, Failure
Audit account management       Success, Failure
Audit logon events             Success, Failure
Audit policy change             Success, Failure
Audit process tracking             No auditing
Audit system events             Success, Failure

There is no Local Security Policy on the DC server.
ASKER CERTIFIED SOLUTION
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ljtxoov
ljtxoov

ASKER

I don't think it is corrupted. What I showed you is from the group policy management. If I open up the Group Object Editor, I see that it's all there. The reason why Audit directory service, Audit object access, and Audit privilege use is not showing up in group policy management is because I set it to Not Define. Shoul I set it to Not Auditing? What's the difference? Is not define mean it is still auditing and that is why I kept getting the event id 578?
SOLUTION
Avatar of JMMI
JMMI
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ljtxoov
ljtxoov

ASKER

For now, I'll say the event 578 has stopped when I set it to No Aduit. I'll split the points among you too since I first got the idea from Jeff's example but a lot more details and explanations on the difference between No Audit and Not Defined.

By the way, how do I go about finding what triggers the event?