False Failure Audits 560 on Windows Server

We have a Windows Server 2003 Enterprise Edition sp2 with auditing enabled.  For some reason we are getting audit failure 560 events on files that people appear to have full control over.  I have seen a known issue, but it was supposed to be fixed with sp2.  This part of a win2k3 domain.  Below is the event logged:

Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      D:\Work\_SENSITIVE\PrePay\MCS_Downloads\ClaimData_TX_00960T_071009_AO_Hardcopy.xls
       Handle ID:      -
       Operation ID:      {0,475667007}
       Process ID:      4
       Image File Name:      
       Primary User Name:      MachineName$
       Primary Domain:      ZPIC
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      ortleya
       Client Domain:      ZPIC
       Client Logon ID:      (0x0,0x1C433BAE)
       Accesses:      DELETE
                  READ_CONTROL
                  ACCESS_SYS_SEC
                  ReadData (or ListDirectory)
                  ReadEA
                  ReadAttributes
                  
       Privileges:      -
       Restricted Sid Count:      0
       Access Mask:      0x1030089
delmarvamonkeyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MightySWCommented:
Hi, ensure that the permissions have fully propagated down to the rest of the files.  This looks like what has happened.  You may have to take ownership as a domain admin, clear the permissions for that user by propagating all ownership permissions on all folders and files.  

You can then click ok and get out of security, go back in and then add in the user, and go under advanced and propagate the permissions (full control if you like) for that user on ALL of the folder and files in the folders.

HTH
0
delmarvamonkeyAuthor Commented:
Thanks, but I am sure permissions have fully propagated.  The permissions tab on this exact file shows the user as having full control.  It is being inherited from the parent, but she still has full control to this file. Before I submitted this question, I went on the parent folder and replaced entries on child objects and enabled inheritance, so I am sure the permissions propagated.  The error is still happening.  Are you saying I should remove everyone and then try adding them back?
0
MightySWCommented:
Can the user open the file just fine?
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

MightySWCommented:
You know what, I seem to remember having issues with this as well.  The users could operate just fine, but the errors continued.  SP2 was already applied.  

I looked back at someone else that I answered with this exact same issue and found this:

http://www.tomshardware.com/forum/194902-46-failure-audit

You should check these as well for some more info (especially the first link):

http://technet.microsoft.com/en-us/library/cc781716(WS.10).aspx
http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx
http://msdn.microsoft.com/en-us/library/ms717798(VS.85).aspx

HTH

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
delmarvamonkeyAuthor Commented:
Yes, the user has all of the expected access to the file, the event log is just generating the failure audit.  There is a lot of information in those links, but I did not see anything for me to really try to fix the issue (unless I missed it). Any suggestion is appreciated.
0
MightySWCommented:
That is the thing.  There is really no fix.  It is by design.  When they close access and switch over from one group to another then it will log the event.  

I log all of these events as well, however I centralize them and basically filter them out with the event collection software.

This my not be what is happening to you.  One thing that you could try is reinstall SP2.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.