Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

False Failure Audits 560 on Windows Server

Posted on 2009-07-10
6
Medium Priority
?
455 Views
Last Modified: 2013-12-04
We have a Windows Server 2003 Enterprise Edition sp2 with auditing enabled.  For some reason we are getting audit failure 560 events on files that people appear to have full control over.  I have seen a known issue, but it was supposed to be fixed with sp2.  This part of a win2k3 domain.  Below is the event logged:

Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      D:\Work\_SENSITIVE\PrePay\MCS_Downloads\ClaimData_TX_00960T_071009_AO_Hardcopy.xls
       Handle ID:      -
       Operation ID:      {0,475667007}
       Process ID:      4
       Image File Name:      
       Primary User Name:      MachineName$
       Primary Domain:      ZPIC
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      ortleya
       Client Domain:      ZPIC
       Client Logon ID:      (0x0,0x1C433BAE)
       Accesses:      DELETE
                  READ_CONTROL
                  ACCESS_SYS_SEC
                  ReadData (or ListDirectory)
                  ReadEA
                  ReadAttributes
                  
       Privileges:      -
       Restricted Sid Count:      0
       Access Mask:      0x1030089
0
Comment
Question by:delmarvamonkey
  • 4
  • 2
6 Comments
 
LVL 20

Expert Comment

by:MightySW
ID: 24824040
Hi, ensure that the permissions have fully propagated down to the rest of the files.  This looks like what has happened.  You may have to take ownership as a domain admin, clear the permissions for that user by propagating all ownership permissions on all folders and files.  

You can then click ok and get out of security, go back in and then add in the user, and go under advanced and propagate the permissions (full control if you like) for that user on ALL of the folder and files in the folders.

HTH
0
 

Author Comment

by:delmarvamonkey
ID: 24824609
Thanks, but I am sure permissions have fully propagated.  The permissions tab on this exact file shows the user as having full control.  It is being inherited from the parent, but she still has full control to this file. Before I submitted this question, I went on the parent folder and replaced entries on child objects and enabled inheritance, so I am sure the permissions propagated.  The error is still happening.  Are you saying I should remove everyone and then try adding them back?
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24824629
Can the user open the file just fine?
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 20

Accepted Solution

by:
MightySW earned 1500 total points
ID: 24824839
You know what, I seem to remember having issues with this as well.  The users could operate just fine, but the errors continued.  SP2 was already applied.  

I looked back at someone else that I answered with this exact same issue and found this:

http://www.tomshardware.com/forum/194902-46-failure-audit

You should check these as well for some more info (especially the first link):

http://technet.microsoft.com/en-us/library/cc781716(WS.10).aspx
http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx
http://msdn.microsoft.com/en-us/library/ms717798(VS.85).aspx

HTH

0
 

Author Comment

by:delmarvamonkey
ID: 24826201
Yes, the user has all of the expected access to the file, the event log is just generating the failure audit.  There is a lot of information in those links, but I did not see anything for me to really try to fix the issue (unless I missed it). Any suggestion is appreciated.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24826233
That is the thing.  There is really no fix.  It is by design.  When they close access and switch over from one group to another then it will log the event.  

I log all of these events as well, however I centralize them and basically filter them out with the event collection software.

This my not be what is happening to you.  One thing that you could try is reinstall SP2.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question