False Failure Audits 560 on Windows Server

We have a Windows Server 2003 Enterprise Edition sp2 with auditing enabled.  For some reason we are getting audit failure 560 events on files that people appear to have full control over.  I have seen a known issue, but it was supposed to be fixed with sp2.  This part of a win2k3 domain.  Below is the event logged:

Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      D:\Work\_SENSITIVE\PrePay\MCS_Downloads\ClaimData_TX_00960T_071009_AO_Hardcopy.xls
       Handle ID:      -
       Operation ID:      {0,475667007}
       Process ID:      4
       Image File Name:      
       Primary User Name:      MachineName$
       Primary Domain:      ZPIC
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      ortleya
       Client Domain:      ZPIC
       Client Logon ID:      (0x0,0x1C433BAE)
       Accesses:      DELETE
                  READ_CONTROL
                  ACCESS_SYS_SEC
                  ReadData (or ListDirectory)
                  ReadEA
                  ReadAttributes
                  
       Privileges:      -
       Restricted Sid Count:      0
       Access Mask:      0x1030089
delmarvamonkeyAsked:
Who is Participating?
 
MightySWConnect With a Mentor Commented:
You know what, I seem to remember having issues with this as well.  The users could operate just fine, but the errors continued.  SP2 was already applied.  

I looked back at someone else that I answered with this exact same issue and found this:

http://www.tomshardware.com/forum/194902-46-failure-audit

You should check these as well for some more info (especially the first link):

http://technet.microsoft.com/en-us/library/cc781716(WS.10).aspx
http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx
http://msdn.microsoft.com/en-us/library/ms717798(VS.85).aspx

HTH

0
 
MightySWCommented:
Hi, ensure that the permissions have fully propagated down to the rest of the files.  This looks like what has happened.  You may have to take ownership as a domain admin, clear the permissions for that user by propagating all ownership permissions on all folders and files.  

You can then click ok and get out of security, go back in and then add in the user, and go under advanced and propagate the permissions (full control if you like) for that user on ALL of the folder and files in the folders.

HTH
0
 
delmarvamonkeyAuthor Commented:
Thanks, but I am sure permissions have fully propagated.  The permissions tab on this exact file shows the user as having full control.  It is being inherited from the parent, but she still has full control to this file. Before I submitted this question, I went on the parent folder and replaced entries on child objects and enabled inheritance, so I am sure the permissions propagated.  The error is still happening.  Are you saying I should remove everyone and then try adding them back?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
MightySWCommented:
Can the user open the file just fine?
0
 
delmarvamonkeyAuthor Commented:
Yes, the user has all of the expected access to the file, the event log is just generating the failure audit.  There is a lot of information in those links, but I did not see anything for me to really try to fix the issue (unless I missed it). Any suggestion is appreciated.
0
 
MightySWCommented:
That is the thing.  There is really no fix.  It is by design.  When they close access and switch over from one group to another then it will log the event.  

I log all of these events as well, however I centralize them and basically filter them out with the event collection software.

This my not be what is happening to you.  One thing that you could try is reinstall SP2.
0
All Courses

From novice to tech pro — start learning today.