Event Logs running full with 560s

February 2, 2006 at 05:46:01
Specs: Windows 2003 Server, Intel XEON 1,8 GHz with 1

Hi,

we've create a new user and setup our domain auditing on our DCs, the Logs are running full with Event 560, when Users access their homedirectories.

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 02.02.2006
Time: 13:25:38
User: Domain\User
Computer: FileServer
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Path to Homedirectory\Object
Handle ID: -
Operation ID: {0,40654567}
Process ID: 4
Image File Name:
Primary User Name: administrative Share on FileServer
Primary Domain: Domain
Primary Logon ID: (0x0,0x3E7)
Client User Name: User
Client Domain: Domain
Client Logon ID: (0x0,0x17F8E4C)
Accesses: DELETE
READ_CONTROL
ACCESS_SYS_SEC
ReadData (or ListDirectory)
ReadEA
ReadAttributes

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x1030089

may some one help?

greets

Mirko

Viele die Leben verdienen den Tod und einige die sterben verdienen das Leben, kannst du es ihnen wieder geben?



See More: Event Logs running full with 560s

Report •


#1
February 2, 2006 at 07:14:30

If you don't want the logs to fill up, then you'll either have to change the audit settings, or change the configuration settings for the size of the Event Log files.

Soylent Green is PEOPLE!!!


Report •

#2
February 3, 2006 at 06:30:26

Hi,

thank you for answering to my question.
We found out, that when Users copied Files from another ones share to their homedirectory, the permissions are the same as the original, but the User do not have the same permissions as the creator. The problem is that we activate auditing for the homedirectories and so the User has the wrong permissions for the files and the SACL creates this events day by day.
Now we need to think over our Auditing settings for homedirectories, because we dont need auditing within the directories.


Report •

Related Solutions


Ask Question