Solved

False Failure Audits 560 on Windows Server

Posted on 2009-07-10
6
447 Views
Last Modified: 2013-12-04
We have a Windows Server 2003 Enterprise Edition sp2 with auditing enabled.  For some reason we are getting audit failure 560 events on files that people appear to have full control over.  I have seen a known issue, but it was supposed to be fixed with sp2.  This part of a win2k3 domain.  Below is the event logged:

Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      D:\Work\_SENSITIVE\PrePay\MCS_Downloads\ClaimData_TX_00960T_071009_AO_Hardcopy.xls
       Handle ID:      -
       Operation ID:      {0,475667007}
       Process ID:      4
       Image File Name:      
       Primary User Name:      MachineName$
       Primary Domain:      ZPIC
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      ortleya
       Client Domain:      ZPIC
       Client Logon ID:      (0x0,0x1C433BAE)
       Accesses:      DELETE
                  READ_CONTROL
                  ACCESS_SYS_SEC
                  ReadData (or ListDirectory)
                  ReadEA
                  ReadAttributes
                  
       Privileges:      -
       Restricted Sid Count:      0
       Access Mask:      0x1030089
0
Comment
Question by:delmarvamonkey
  • 4
  • 2
6 Comments
 
LVL 20

Expert Comment

by:MightySW
ID: 24824040
Hi, ensure that the permissions have fully propagated down to the rest of the files.  This looks like what has happened.  You may have to take ownership as a domain admin, clear the permissions for that user by propagating all ownership permissions on all folders and files.  

You can then click ok and get out of security, go back in and then add in the user, and go under advanced and propagate the permissions (full control if you like) for that user on ALL of the folder and files in the folders.

HTH
0
 

Author Comment

by:delmarvamonkey
ID: 24824609
Thanks, but I am sure permissions have fully propagated.  The permissions tab on this exact file shows the user as having full control.  It is being inherited from the parent, but she still has full control to this file. Before I submitted this question, I went on the parent folder and replaced entries on child objects and enabled inheritance, so I am sure the permissions propagated.  The error is still happening.  Are you saying I should remove everyone and then try adding them back?
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24824629
Can the user open the file just fine?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 20

Accepted Solution

by:
MightySW earned 500 total points
ID: 24824839
You know what, I seem to remember having issues with this as well.  The users could operate just fine, but the errors continued.  SP2 was already applied.  

I looked back at someone else that I answered with this exact same issue and found this:

http://www.tomshardware.com/forum/194902-46-failure-audit

You should check these as well for some more info (especially the first link):

http://technet.microsoft.com/en-us/library/cc781716(WS.10).aspx
http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx
http://msdn.microsoft.com/en-us/library/ms717798(VS.85).aspx

HTH

0
 

Author Comment

by:delmarvamonkey
ID: 24826201
Yes, the user has all of the expected access to the file, the event log is just generating the failure audit.  There is a lot of information in those links, but I did not see anything for me to really try to fix the issue (unless I missed it). Any suggestion is appreciated.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24826233
That is the thing.  There is really no fix.  It is by design.  When they close access and switch over from one group to another then it will log the event.  

I log all of these events as well, however I centralize them and basically filter them out with the event collection software.

This my not be what is happening to you.  One thing that you could try is reinstall SP2.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question