Solved

False Failure Audits 560 on Windows Server

Posted on 2009-07-10
6
435 Views
Last Modified: 2013-12-04
We have a Windows Server 2003 Enterprise Edition sp2 with auditing enabled.  For some reason we are getting audit failure 560 events on files that people appear to have full control over.  I have seen a known issue, but it was supposed to be fixed with sp2.  This part of a win2k3 domain.  Below is the event logged:

Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      D:\Work\_SENSITIVE\PrePay\MCS_Downloads\ClaimData_TX_00960T_071009_AO_Hardcopy.xls
       Handle ID:      -
       Operation ID:      {0,475667007}
       Process ID:      4
       Image File Name:      
       Primary User Name:      MachineName$
       Primary Domain:      ZPIC
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      ortleya
       Client Domain:      ZPIC
       Client Logon ID:      (0x0,0x1C433BAE)
       Accesses:      DELETE
                  READ_CONTROL
                  ACCESS_SYS_SEC
                  ReadData (or ListDirectory)
                  ReadEA
                  ReadAttributes
                  
       Privileges:      -
       Restricted Sid Count:      0
       Access Mask:      0x1030089
0
Comment
Question by:delmarvamonkey
  • 4
  • 2
6 Comments
 
LVL 20

Expert Comment

by:MightySW
ID: 24824040
Hi, ensure that the permissions have fully propagated down to the rest of the files.  This looks like what has happened.  You may have to take ownership as a domain admin, clear the permissions for that user by propagating all ownership permissions on all folders and files.  

You can then click ok and get out of security, go back in and then add in the user, and go under advanced and propagate the permissions (full control if you like) for that user on ALL of the folder and files in the folders.

HTH
0
 

Author Comment

by:delmarvamonkey
ID: 24824609
Thanks, but I am sure permissions have fully propagated.  The permissions tab on this exact file shows the user as having full control.  It is being inherited from the parent, but she still has full control to this file. Before I submitted this question, I went on the parent folder and replaced entries on child objects and enabled inheritance, so I am sure the permissions propagated.  The error is still happening.  Are you saying I should remove everyone and then try adding them back?
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24824629
Can the user open the file just fine?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 20

Accepted Solution

by:
MightySW earned 500 total points
ID: 24824839
You know what, I seem to remember having issues with this as well.  The users could operate just fine, but the errors continued.  SP2 was already applied.  

I looked back at someone else that I answered with this exact same issue and found this:

http://www.tomshardware.com/forum/194902-46-failure-audit

You should check these as well for some more info (especially the first link):

http://technet.microsoft.com/en-us/library/cc781716(WS.10).aspx
http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx
http://msdn.microsoft.com/en-us/library/ms717798(VS.85).aspx

HTH

0
 

Author Comment

by:delmarvamonkey
ID: 24826201
Yes, the user has all of the expected access to the file, the event log is just generating the failure audit.  There is a lot of information in those links, but I did not see anything for me to really try to fix the issue (unless I missed it). Any suggestion is appreciated.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24826233
That is the thing.  There is really no fix.  It is by design.  When they close access and switch over from one group to another then it will log the event.  

I log all of these events as well, however I centralize them and basically filter them out with the event collection software.

This my not be what is happening to you.  One thing that you could try is reinstall SP2.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now