Hi, we've create a new user and setup our domain auditing on our DCs, the Logs are running full with Event 560, when Users access their homedirectories.
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 02.02.2006
Time: 13:25:38
User: Domain\User
Computer: FileServer
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Path to Homedirectory\Object
Handle ID: -
Operation ID: {0,40654567}
Process ID: 4
Image File Name:
Primary User Name: administrative Share on FileServer
Primary Domain: Domain
Primary Logon ID: (0x0,0x3E7)
Client User Name: User
Client Domain: Domain
Client Logon ID: (0x0,0x17F8E4C)
Accesses: DELETE
READ_CONTROL
ACCESS_SYS_SEC
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x1030089may some one help?
greets
Mirko
Viele die Leben verdienen den Tod und einige die sterben verdienen das Leben, kannst du es ihnen wieder geben?
If you don't want the logs to fill up, then you'll either have to change the audit settings, or change the configuration settings for the size of the Event Log files. Soylent Green is PEOPLE!!!
Hi, thank you for answering to my question.
We found out, that when Users copied Files from another ones share to their homedirectory, the permissions are the same as the original, but the User do not have the same permissions as the creator. The problem is that we activate auditing for the homedirectories and so the User has the wrong permissions for the files and the SACL creates this events day by day.
Now we need to think over our Auditing settings for homedirectories, because we dont need auditing within the directories.
