Solved

Object Access - Security Event Log Failure Audit 560

Posted on 2008-11-01
1
3,688 Views
Last Modified: 2013-12-04
I am runnning Windows Server 2003 with SP 2 and am still getiing multiple instances of this failure audit. I would like to turn off auditing object access but it has be turned on for compliance reasons.
It is always the same object \Device\NetbiosSmb at C:\WINDOWS\system32\svchost.exe that is filling my security log file (two events every minute)

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      560
Date:            11/1/2008
Time:            10:44:54 AM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      123
Description:
Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      \Device\NetbiosSmb
       Handle ID:      -
       Operation ID:      {0,540101}
       Process ID:      860
       Image File Name:      C:\WINDOWS\system32\svchost.exe
       Primary User Name:      LOCAL SERVICE
       Primary Domain:      NT AUTHORITY
       Primary Logon ID:      (0x0,0x3E5)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:      SYNCHRONIZE
                  ReadData (or ListDirectory)
                  WriteData (or AddFile)
                  
       Privileges:      -
       Restricted Sid Count:      0
       Access Mask:      0x100003

0
Comment
Question by:eric789
1 Comment
 
LVL 8

Accepted Solution

by:
smilerz earned 500 total points
ID: 22857572
According to <a href="http://www.itnewsgroups.net/group/microsoft.public.windows.server.general/topic8837.aspx">this </a>site, this is expected behavior. " This error appear every 2 minutes on machines where domain users tries to query the status of the indexing service, where this clients have not permission, so it generates a failure audit if audit object access is turned on. You can just turn off auditing of object access or, you can turn off auditing on that specific service. In Group policy, go to Computer Configuration -> Windows Settings -> Security Settings -> System Services. Double click the indexing service, set it to disabled, and then click Edit Security. At this point there are two options, you can give the users who this is happening to permission to the service, or you can go into auditing and remove auditing for everyone for failed events (which is on by default on all services)." You can turn off failure just for that object if you want to eliminate that error - otherwise I think you are stuck.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Domain admin accounts get locked out 35 59
Regarding Ad Connect Users Access 5 31
Laptop "remote wipe" -- stolen ? 10 91
AD Sites/AD Replication 11 34
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question