Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

  • Thread starter Thread starter kcsteele
  • Start date Start date
K

kcsteele

Guest
Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

Hi, I'm getting failure audits in the security log of the PDC every
time a user logs on or a computer refreshes computer policy:

[USER]


Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/26/2008
Time: 7:12:15 AM
User: DOMAIN\User
Computer: DC
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
Handle ID: -
Operation ID: {0,81314006}
Process ID: 4
Image File Name:
Primary User Name: DC$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: user
Client Domain: DOMAIN
Client Logon ID: (0x0,0x4D8BED6)
Accesses: READ_CONTROL
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or
CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes


Privileges: -
Restricted Sid Count: 0
Access Mask: 0x2019F


[COMPUTER]


Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/26/2008
Time: 7:14:28 AM
User: DOMAIN\WORKSTATION$
Computer: DC
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
F537-4423-
A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
Handle ID: -
Operation ID: {0,81342299}
Process ID: 4
Image File Name:
Primary User Name: DC$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: WORKSTATION$
Client Domain: DOMAIN
Client Logon ID: (0x0,0x4D92D17)
Accesses: READ_CONTROL
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or
CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes


Privileges: -
Restricted Sid Count: 0
Access Mask: 0x2019F


This is accompanied by failure audits for each separate logon script
(startup script in the case of computers, not users). The strange
thing is that the scripts still run no problem. I'm trying to figure
out why there are failures getting triggered if the logon/startup
scripts still run successfully. I checked the NTFS ACL on the
track_logon.bat referenced in the first event, and it has read and
read&execute allowed for "authenticated users".


Thanks if anyone can provide any more info.
 
Re: Failure audits for object access on logon scripts and startup scripts, but clients still run them fine.

Re: Failure audits for object access on logon scripts and startup scripts, but clients still run them fine.

Hello kcsteele,

You talk about the script. Is in the script an user account configured for
some reason?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi, I'm getting failure audits in the security log of the PDC every
> time a user logs on or a computer refreshes computer policy:
>
> [USER]
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 2/26/2008
> Time: 7:12:15 AM
> User: DOMAIN\User
> Computer: DC
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
> FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
> Handle ID: -
> Operation ID: {0,81314006}
> Process ID: 4
> Image File Name:
> Primary User Name: DC$
> Primary Domain: DOMAIN
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: user
> Client Domain: DOMAIN
> Client Logon ID: (0x0,0x4D8BED6)
> Accesses: READ_CONTROL
> ReadData (or ListDirectory)
> WriteData (or AddFile)
> AppendData (or AddSubdirectory or
> CreatePipeInstance)
> ReadEA
> WriteEA
> ReadAttributes
> WriteAttributes
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x2019F
> [COMPUTER]
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 2/26/2008
> Time: 7:14:28 AM
> User: DOMAIN\WORKSTATION$
> Computer: DC
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
> F537-4423-
> A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
> Handle ID: -
> Operation ID: {0,81342299}
> Process ID: 4
> Image File Name:
> Primary User Name: DC$
> Primary Domain: DOMAIN
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: WORKSTATION$
> Client Domain: DOMAIN
> Client Logon ID: (0x0,0x4D92D17)
> Accesses: READ_CONTROL
> ReadData (or ListDirectory)
> WriteData (or AddFile)
> AppendData (or AddSubdirectory or
> CreatePipeInstance)
> ReadEA
> WriteEA
> ReadAttributes
> WriteAttributes
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x2019F
> This is accompanied by failure audits for each separate logon script
> (startup script in the case of computers, not users). The strange
> thing is that the scripts still run no problem. I'm trying to figure
> out why there are failures getting triggered if the logon/startup
> scripts still run successfully. I checked the NTFS ACL on the
> track_logon.bat referenced in the first event, and it has read and
> read&execute allowed for "authenticated users".
>
> Thanks if anyone can provide any more info.
>
 
Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

Hi Meinolf,

They are just logon scripts assigned via GPO that do simple things
like append to a .txt file the time that the person logged in (you
will see in my original post the event references "track_logon.bat").
However, notice the other event I posted, you will see that it is a
machine attempting to refresh machine group policy, which also
generates a failure audit. Regardless the users and machines all
receive their policies and run the scripts OK, so I'm confused as to
why the failure audits are being triggered.

On Feb 27, 8:50 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
> Hello kcsteele,
>
> You talk about the script. Is in the script an user account configured for
> some reason?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>
> > Hi, I'm getting failure audits in the security log of the PDC every
> > time a user logs on or a computer refreshes computer policy:
>
> > [USER]
>
> > Event Type:     Failure Audit
> > Event Source:   Security
> > Event Category: Object Access
> > Event ID:       560
> > Date:           2/26/2008
> > Time:           7:12:15 AM
> > User:           DOMAIN\User
> > Computer:       DC
> > Description:
> > Object Open:
> > Object Server:  Security
> > Object Type:    File
> > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
> > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
> > Handle ID:      -
> > Operation ID:   {0,81314006}
> > Process ID:     4
> > Image File Name:
> > Primary User Name:      DC$
> > Primary Domain: DOMAIN
> > Primary Logon ID:       (0x0,0x3E7)
> > Client User Name:       user
> > Client Domain:  DOMAIN
> > Client Logon ID:        (0x0,0x4D8BED6)
> > Accesses:       READ_CONTROL
> > ReadData (or ListDirectory)
> > WriteData (or AddFile)
> > AppendData (or AddSubdirectory or
> > CreatePipeInstance)
> > ReadEA
> > WriteEA
> > ReadAttributes
> > WriteAttributes
> > Privileges:     -
> > Restricted Sid Count:   0
> > Access Mask:    0x2019F
> > [COMPUTER]
>
> > Event Type:     Failure Audit
> > Event Source:   Security
> > Event Category: Object Access
> > Event ID:       560
> > Date:           2/26/2008
> > Time:           7:14:28 AM
> > User:           DOMAIN\WORKSTATION$
> > Computer:       DC
> > Description:
> > Object Open:
> > Object Server:  Security
> > Object Type:    File
> > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
> > F537-4423-
> > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
> > Handle ID:      -
> > Operation ID:   {0,81342299}
> > Process ID:     4
> > Image File Name:
> > Primary User Name:      DC$
> > Primary Domain: DOMAIN
> > Primary Logon ID:       (0x0,0x3E7)
> > Client User Name:       WORKSTATION$
> > Client Domain:  DOMAIN
> > Client Logon ID:        (0x0,0x4D92D17)
> > Accesses:       READ_CONTROL
> > ReadData (or ListDirectory)
> > WriteData (or AddFile)
> > AppendData (or AddSubdirectory or
> > CreatePipeInstance)
> > ReadEA
> > WriteEA
> > ReadAttributes
> > WriteAttributes
> > Privileges:     -
> > Restricted Sid Count:   0
> > Access Mask:    0x2019F
> > This is accompanied by failure audits for each separate logon script
> > (startup script in the case of computers, not users). The strange
> > thing is that the scripts still run no problem. I'm trying to figure
> > out why there are failures getting triggered if the logon/startup
> > scripts still run successfully. I checked the NTFS ACL on the
> > track_logon.bat referenced in the first event, and it has read and
> > read&execute allowed for "authenticated users".
>
> > Thanks if anyone can provide any more info.- Hide quoted text -
>
> - Show quoted text -
 
Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

Also the domain was originally NT4 and then upgraded to 2003. Perhaps
there is something lingering from the NT4 domain that is causing the
failures audits to be triggered?

On Feb 27, 8:50 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
> Hello kcsteele,
>
> You talk about the script. Is in the script an user account configured for
> some reason?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>
> > Hi, I'm getting failure audits in the security log of the PDC every
> > time a user logs on or a computer refreshes computer policy:
>
> > [USER]
>
> > Event Type:     Failure Audit
> > Event Source:   Security
> > Event Category: Object Access
> > Event ID:       560
> > Date:           2/26/2008
> > Time:           7:12:15 AM
> > User:           DOMAIN\User
> > Computer:       DC
> > Description:
> > Object Open:
> > Object Server:  Security
> > Object Type:    File
> > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
> > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
> > Handle ID:      -
> > Operation ID:   {0,81314006}
> > Process ID:     4
> > Image File Name:
> > Primary User Name:      DC$
> > Primary Domain: DOMAIN
> > Primary Logon ID:       (0x0,0x3E7)
> > Client User Name:       user
> > Client Domain:  DOMAIN
> > Client Logon ID:        (0x0,0x4D8BED6)
> > Accesses:       READ_CONTROL
> > ReadData (or ListDirectory)
> > WriteData (or AddFile)
> > AppendData (or AddSubdirectory or
> > CreatePipeInstance)
> > ReadEA
> > WriteEA
> > ReadAttributes
> > WriteAttributes
> > Privileges:     -
> > Restricted Sid Count:   0
> > Access Mask:    0x2019F
> > [COMPUTER]
>
> > Event Type:     Failure Audit
> > Event Source:   Security
> > Event Category: Object Access
> > Event ID:       560
> > Date:           2/26/2008
> > Time:           7:14:28 AM
> > User:           DOMAIN\WORKSTATION$
> > Computer:       DC
> > Description:
> > Object Open:
> > Object Server:  Security
> > Object Type:    File
> > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
> > F537-4423-
> > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
> > Handle ID:      -
> > Operation ID:   {0,81342299}
> > Process ID:     4
> > Image File Name:
> > Primary User Name:      DC$
> > Primary Domain: DOMAIN
> > Primary Logon ID:       (0x0,0x3E7)
> > Client User Name:       WORKSTATION$
> > Client Domain:  DOMAIN
> > Client Logon ID:        (0x0,0x4D92D17)
> > Accesses:       READ_CONTROL
> > ReadData (or ListDirectory)
> > WriteData (or AddFile)
> > AppendData (or AddSubdirectory or
> > CreatePipeInstance)
> > ReadEA
> > WriteEA
> > ReadAttributes
> > WriteAttributes
> > Privileges:     -
> > Restricted Sid Count:   0
> > Access Mask:    0x2019F
> > This is accompanied by failure audits for each separate logon script
> > (startup script in the case of computers, not users). The strange
> > thing is that the scripts still run no problem. I'm trying to figure
> > out why there are failures getting triggered if the logon/startup
> > scripts still run successfully. I checked the NTFS ACL on the
> > track_logon.bat referenced in the first event, and it has read and
> > read&execute allowed for "authenticated users".
>
> > Thanks if anyone can provide any more info.- Hide quoted text -
>
> - Show quoted text -
 
Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

bump

thanks

On Feb 29, 7:07 am, kcsteele <k.c.ste...@gmail.com> wrote:
> Also the domain was originally NT4 and then upgraded to 2003. Perhaps
> there is something lingering from the NT4 domain that is causing the
> failures audits to be triggered?
>
> On Feb 27, 8:50 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
>
>
>
> > Hello kcsteele,
>
> > You talk about the script. Is in the script an user account configured for
> > some reason?
>
> > Best regards
>
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > > Hi, I'm getting failure audits in the security log of the PDC every
> > > time a user logs on or a computer refreshes computer policy:
>
> > > [USER]
>
> > > Event Type:     Failure Audit
> > > Event Source:   Security
> > > Event Category: Object Access
> > > Event ID:       560
> > > Date:           2/26/2008
> > > Time:           7:12:15 AM
> > > User:           DOMAIN\User
> > > Computer:       DC
> > > Description:
> > > Object Open:
> > > Object Server:  Security
> > > Object Type:    File
> > > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
> > > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
> > > Handle ID:      -
> > > Operation ID:   {0,81314006}
> > > Process ID:     4
> > > Image File Name:
> > > Primary User Name:      DC$
> > > Primary Domain: DOMAIN
> > > Primary Logon ID:       (0x0,0x3E7)
> > > Client User Name:       user
> > > Client Domain:  DOMAIN
> > > Client Logon ID:        (0x0,0x4D8BED6)
> > > Accesses:       READ_CONTROL
> > > ReadData (or ListDirectory)
> > > WriteData (or AddFile)
> > > AppendData (or AddSubdirectory or
> > > CreatePipeInstance)
> > > ReadEA
> > > WriteEA
> > > ReadAttributes
> > > WriteAttributes
> > > Privileges:     -
> > > Restricted Sid Count:   0
> > > Access Mask:    0x2019F
> > > [COMPUTER]
>
> > > Event Type:     Failure Audit
> > > Event Source:   Security
> > > Event Category: Object Access
> > > Event ID:       560
> > > Date:           2/26/2008
> > > Time:           7:14:28 AM
> > > User:           DOMAIN\WORKSTATION$
> > > Computer:       DC
> > > Description:
> > > Object Open:
> > > Object Server:  Security
> > > Object Type:    File
> > > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
> > > F537-4423-
> > > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
> > > Handle ID:      -
> > > Operation ID:   {0,81342299}
> > > Process ID:     4
> > > Image File Name:
> > > Primary User Name:      DC$
> > > Primary Domain: DOMAIN
> > > Primary Logon ID:       (0x0,0x3E7)
> > > Client User Name:       WORKSTATION$
> > > Client Domain:  DOMAIN
> > > Client Logon ID:        (0x0,0x4D92D17)
> > > Accesses:       READ_CONTROL
> > > ReadData (or ListDirectory)
> > > WriteData (or AddFile)
> > > AppendData (or AddSubdirectory or
> > > CreatePipeInstance)
> > > ReadEA
> > > WriteEA
> > > ReadAttributes
> > > WriteAttributes
> > > Privileges:     -
> > > Restricted Sid Count:   0
> > > Access Mask:    0x2019F
> > > This is accompanied by failure audits for each separate logon script
> > > (startup script in the case of computers, not users). The strange
> > > thing is that the scripts still run no problem. I'm trying to figure
> > > out why there are failures getting triggered if the logon/startup
> > > scripts still run successfully. I checked the NTFS ACL on the
> > > track_logon.bat referenced in the first event, and it has read and
> > > read&execute allowed for "authenticated users".
>
> > > Thanks if anyone can provide any more info.- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
 
Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

On Mar 4, 7:53 am, kcsteele <k.c.ste...@gmail.com> wrote:
> bump
>
> thanks
>
> On Feb 29, 7:07 am, kcsteele <k.c.ste...@gmail.com> wrote:
>
>
>
> > Also the domain was originally NT4 and then upgraded to 2003. Perhaps
> > there is something lingering from the NT4 domain that is causing the
> > failures audits to be triggered?
>
> > On Feb 27, 8:50 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
>
> > > Hello kcsteele,
>
> > > You talk about the script. Is in the script an user account configured for
> > > some reason?
>
> > > Best regards
>
> > > Meinolf Weber
> > > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> > > no rights.
> > > ** Please do NOT email, only reply to Newsgroups
> > > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > > > Hi, I'm getting failure audits in the security log of the PDC every
> > > > time a user logs on or a computer refreshes computer policy:
>
> > > > [USER]
>
> > > > Event Type:     Failure Audit
> > > > Event Source:   Security
> > > > Event Category: Object Access
> > > > Event ID:       560
> > > > Date:           2/26/2008
> > > > Time:           7:12:15 AM
> > > > User:           DOMAIN\User
> > > > Computer:       DC
> > > > Description:
> > > > Object Open:
> > > > Object Server:  Security
> > > > Object Type:    File
> > > > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
> > > > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
> > > > Handle ID:      -
> > > > Operation ID:   {0,81314006}
> > > > Process ID:     4
> > > > Image File Name:
> > > > Primary User Name:      DC$
> > > > Primary Domain: DOMAIN
> > > > Primary Logon ID:       (0x0,0x3E7)
> > > > Client User Name:       user
> > > > Client Domain:  DOMAIN
> > > > Client Logon ID:        (0x0,0x4D8BED6)
> > > > Accesses:       READ_CONTROL
> > > > ReadData (or ListDirectory)
> > > > WriteData (or AddFile)
> > > > AppendData (or AddSubdirectory or
> > > > CreatePipeInstance)
> > > > ReadEA
> > > > WriteEA
> > > > ReadAttributes
> > > > WriteAttributes
> > > > Privileges:     -
> > > > Restricted Sid Count:   0
> > > > Access Mask:    0x2019F
> > > > [COMPUTER]
>
> > > > Event Type:     Failure Audit
> > > > Event Source:   Security
> > > > Event Category: Object Access
> > > > Event ID:       560
> > > > Date:           2/26/2008
> > > > Time:           7:14:28 AM
> > > > User:           DOMAIN\WORKSTATION$
> > > > Computer:       DC
> > > > Description:
> > > > Object Open:
> > > > Object Server:  Security
> > > > Object Type:    File
> > > > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-
> > > > F537-4423-
> > > > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
> > > > Handle ID:      -
> > > > Operation ID:   {0,81342299}
> > > > Process ID:     4
> > > > Image File Name:
> > > > Primary User Name:      DC$
> > > > Primary Domain: DOMAIN
> > > > Primary Logon ID:       (0x0,0x3E7)
> > > > Client User Name:       WORKSTATION$
> > > > Client Domain:  DOMAIN
> > > > Client Logon ID:        (0x0,0x4D92D17)
> > > > Accesses:       READ_CONTROL
> > > > ReadData (or ListDirectory)
> > > > WriteData (or AddFile)
> > > > AppendData (or AddSubdirectory or
> > > > CreatePipeInstance)
> > > > ReadEA
> > > > WriteEA
> > > > ReadAttributes
> > > > WriteAttributes
> > > > Privileges:     -
> > > > Restricted Sid Count:   0
> > > > Access Mask:    0x2019F
> > > > This is accompanied by failure audits for each separate logon script
> > > > (startup script in the case of computers, not users). The strange
> > > > thing is that the scripts still run no problem. I'm trying to figure
> > > > out why there are failures getting triggered if the logon/startup
> > > > scripts still run successfully. I checked the NTFS ACL on the
> > > > track_logon.bat referenced in the first event, and it has read and
> > > > read&execute allowed for "authenticated users".
>
> > > > Thanks if anyone can provide any more info.- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

bump
 

Similar threads

A
troubleshooting 560 object access failure audit entries
Replies
0
Views
149
awrightus@gmail.com
A
A
Windows2003 R2 SP2 File Auditing Bug
Replies
0
Views
162
Andreas Wahlert
A
M
Security Event Log exploding with 560/562 auditing entries
Replies
1
Views
130
Mark Z.
M
S
Failure Audit
Replies
0
Views
151
spy
S
D
Auditing - Access Mask
Replies
1
Views
159
Kirk Lashbrook
K
Back
Top