Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

[Guest kcsteele]

Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

 

Hi, I'm getting failure audits in the security log of the PDC every

time a user logs on or a computer refreshes computer policy:

 

[uSER]

 

 

Event Type: Failure Audit

Event Source: Security

Event Category: Object Access

Event ID: 560

Date: 2/26/2008

Time: 7:12:15 AM

User: DOMAIN\User

Computer: DC

Description:

Object Open:

Object Server: Security

Object Type: File

Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-

FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat

Handle ID: -

Operation ID: {0,81314006}

Process ID: 4

Image File Name:

Primary User Name: DC$

Primary Domain: DOMAIN

Primary Logon ID: (0x0,0x3E7)

Client User Name: user

Client Domain: DOMAIN

Client Logon ID: (0x0,0x4D8BED6)

Accesses: READ_CONTROL

ReadData (or ListDirectory)

WriteData (or AddFile)

AppendData (or AddSubdirectory or

CreatePipeInstance)

ReadEA

WriteEA

ReadAttributes

WriteAttributes

 

 

Privileges: -

Restricted Sid Count: 0

Access Mask: 0x2019F

 

 

[COMPUTER]

 

 

Event Type: Failure Audit

Event Source: Security

Event Category: Object Access

Event ID: 560

Date: 2/26/2008

Time: 7:14:28 AM

User: DOMAIN\WORKSTATION$

Computer: DC

Description:

Object Open:

Object Server: Security

Object Type: File

Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-

F537-4423-

A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Handle ID: -

Operation ID: {0,81342299}

Process ID: 4

Image File Name:

Primary User Name: DC$

Primary Domain: DOMAIN

Primary Logon ID: (0x0,0x3E7)

Client User Name: WORKSTATION$

Client Domain: DOMAIN

Client Logon ID: (0x0,0x4D92D17)

Accesses: READ_CONTROL

ReadData (or ListDirectory)

WriteData (or AddFile)

AppendData (or AddSubdirectory or

CreatePipeInstance)

ReadEA

WriteEA

ReadAttributes

WriteAttributes

 

 

Privileges: -

Restricted Sid Count: 0

Access Mask: 0x2019F

 

 

This is accompanied by failure audits for each separate logon script

(startup script in the case of computers, not users). The strange

thing is that the scripts still run no problem. I'm trying to figure

out why there are failures getting triggered if the logon/startup

scripts still run successfully. I checked the NTFS ACL on the

track_logon.bat referenced in the first event, and it has read and

read&execute allowed for "authenticated users".

 

 

Thanks if anyone can provide any more info.

[Guest Meinolf Weber]

Re: Failure audits for object access on logon scripts and startup scripts, but clients still run them fine.

 

Re: Failure audits for object access on logon scripts and startup scripts, but clients still run them fine.

 

Hello kcsteele,

 

You talk about the script. Is in the script an user account configured for

some reason?

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi, I'm getting failure audits in the security log of the PDC every

> time a user logs on or a computer refreshes computer policy:

>

> [uSER]

>

> Event Type: Failure Audit

> Event Source: Security

> Event Category: Object Access

> Event ID: 560

> Date: 2/26/2008

> Time: 7:12:15 AM

> User: DOMAIN\User

> Computer: DC

> Description:

> Object Open:

> Object Server: Security

> Object Type: File

> Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-

> FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat

> Handle ID: -

> Operation ID: {0,81314006}

> Process ID: 4

> Image File Name:

> Primary User Name: DC$

> Primary Domain: DOMAIN

> Primary Logon ID: (0x0,0x3E7)

> Client User Name: user

> Client Domain: DOMAIN

> Client Logon ID: (0x0,0x4D8BED6)

> Accesses: READ_CONTROL

> ReadData (or ListDirectory)

> WriteData (or AddFile)

> AppendData (or AddSubdirectory or

> CreatePipeInstance)

> ReadEA

> WriteEA

> ReadAttributes

> WriteAttributes

> Privileges: -

> Restricted Sid Count: 0

> Access Mask: 0x2019F

> [COMPUTER]

>

> Event Type: Failure Audit

> Event Source: Security

> Event Category: Object Access

> Event ID: 560

> Date: 2/26/2008

> Time: 7:14:28 AM

> User: DOMAIN\WORKSTATION$

> Computer: DC

> Description:

> Object Open:

> Object Server: Security

> Object Type: File

> Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-

> F537-4423-

> A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

> Handle ID: -

> Operation ID: {0,81342299}

> Process ID: 4

> Image File Name:

> Primary User Name: DC$

> Primary Domain: DOMAIN

> Primary Logon ID: (0x0,0x3E7)

> Client User Name: WORKSTATION$

> Client Domain: DOMAIN

> Client Logon ID: (0x0,0x4D92D17)

> Accesses: READ_CONTROL

> ReadData (or ListDirectory)

> WriteData (or AddFile)

> AppendData (or AddSubdirectory or

> CreatePipeInstance)

> ReadEA

> WriteEA

> ReadAttributes

> WriteAttributes

> Privileges: -

> Restricted Sid Count: 0

> Access Mask: 0x2019F

> This is accompanied by failure audits for each separate logon script

> (startup script in the case of computers, not users). The strange

> thing is that the scripts still run no problem. I'm trying to figure

> out why there are failures getting triggered if the logon/startup

> scripts still run successfully. I checked the NTFS ACL on the

> track_logon.bat referenced in the first event, and it has read and

> read&execute allowed for "authenticated users".

>

> Thanks if anyone can provide any more info.

>

[Guest kcsteele]

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

 

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

 

Hi Meinolf,

 

They are just logon scripts assigned via GPO that do simple things

like append to a .txt file the time that the person logged in (you

will see in my original post the event references "track_logon.bat").

However, notice the other event I posted, you will see that it is a

machine attempting to refresh machine group policy, which also

generates a failure audit. Regardless the users and machines all

receive their policies and run the scripts OK, so I'm confused as to

why the failure audits are being triggered.

 

On Feb 27, 8:50 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

> Hello kcsteele,

>

> You talk about the script. Is in the script an user account configured for

> some reason?

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

>

>

>

> > Hi, I'm getting failure audits in the security log of the PDC every

> > time a user logs on or a computer refreshes computer policy:

>

> > [uSER]

>

> > Event Type:     Failure Audit

> > Event Source:   Security

> > Event Category: Object Access

> > Event ID:       560

> > Date:           2/26/2008

> > Time:           7:12:15 AM

> > User:           DOMAIN\User

> > Computer:       DC

> > Description:

> > Object Open:

> > Object Server:  Security

> > Object Type:    File

> > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-

> > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat

> > Handle ID:      -

> > Operation ID:   {0,81314006}

> > Process ID:     4

> > Image File Name:

> > Primary User Name:      DC$

> > Primary Domain: DOMAIN

> > Primary Logon ID:       (0x0,0x3E7)

> > Client User Name:       user

> > Client Domain:  DOMAIN

> > Client Logon ID:        (0x0,0x4D8BED6)

> > Accesses:       READ_CONTROL

> > ReadData (or ListDirectory)

> > WriteData (or AddFile)

> > AppendData (or AddSubdirectory or

> > CreatePipeInstance)

> > ReadEA

> > WriteEA

> > ReadAttributes

> > WriteAttributes

> > Privileges:     -

> > Restricted Sid Count:   0

> > Access Mask:    0x2019F

> > [COMPUTER]

>

> > Event Type:     Failure Audit

> > Event Source:   Security

> > Event Category: Object Access

> > Event ID:       560

> > Date:           2/26/2008

> > Time:           7:14:28 AM

> > User:           DOMAIN\WORKSTATION$

> > Computer:       DC

> > Description:

> > Object Open:

> > Object Server:  Security

> > Object Type:    File

> > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-

> > F537-4423-

> > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

> > Handle ID:      -

> > Operation ID:   {0,81342299}

> > Process ID:     4

> > Image File Name:

> > Primary User Name:      DC$

> > Primary Domain: DOMAIN

> > Primary Logon ID:       (0x0,0x3E7)

> > Client User Name:       WORKSTATION$

> > Client Domain:  DOMAIN

> > Client Logon ID:        (0x0,0x4D92D17)

> > Accesses:       READ_CONTROL

> > ReadData (or ListDirectory)

> > WriteData (or AddFile)

> > AppendData (or AddSubdirectory or

> > CreatePipeInstance)

> > ReadEA

> > WriteEA

> > ReadAttributes

> > WriteAttributes

> > Privileges:     -

> > Restricted Sid Count:   0

> > Access Mask:    0x2019F

> > This is accompanied by failure audits for each separate logon script

> > (startup script in the case of computers, not users). The strange

> > thing is that the scripts still run no problem. I'm trying to figure

> > out why there are failures getting triggered if the logon/startup

> > scripts still run successfully. I checked the NTFS ACL on the

> > track_logon.bat referenced in the first event, and it has read and

> > read&execute allowed for "authenticated users".

>

> > Thanks if anyone can provide any more info.- Hide quoted text -

>

> - Show quoted text -

[Guest kcsteele]

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

 

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

 

Also the domain was originally NT4 and then upgraded to 2003. Perhaps

there is something lingering from the NT4 domain that is causing the

failures audits to be triggered?

 

On Feb 27, 8:50 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

> Hello kcsteele,

>

> You talk about the script. Is in the script an user account configured for

> some reason?

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

>

>

>

> > Hi, I'm getting failure audits in the security log of the PDC every

> > time a user logs on or a computer refreshes computer policy:

>

> > [uSER]

>

> > Event Type:     Failure Audit

> > Event Source:   Security

> > Event Category: Object Access

> > Event ID:       560

> > Date:           2/26/2008

> > Time:           7:12:15 AM

> > User:           DOMAIN\User

> > Computer:       DC

> > Description:

> > Object Open:

> > Object Server:  Security

> > Object Type:    File

> > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-

> > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat

> > Handle ID:      -

> > Operation ID:   {0,81314006}

> > Process ID:     4

> > Image File Name:

> > Primary User Name:      DC$

> > Primary Domain: DOMAIN

> > Primary Logon ID:       (0x0,0x3E7)

> > Client User Name:       user

> > Client Domain:  DOMAIN

> > Client Logon ID:        (0x0,0x4D8BED6)

> > Accesses:       READ_CONTROL

> > ReadData (or ListDirectory)

> > WriteData (or AddFile)

> > AppendData (or AddSubdirectory or

> > CreatePipeInstance)

> > ReadEA

> > WriteEA

> > ReadAttributes

> > WriteAttributes

> > Privileges:     -

> > Restricted Sid Count:   0

> > Access Mask:    0x2019F

> > [COMPUTER]

>

> > Event Type:     Failure Audit

> > Event Source:   Security

> > Event Category: Object Access

> > Event ID:       560

> > Date:           2/26/2008

> > Time:           7:14:28 AM

> > User:           DOMAIN\WORKSTATION$

> > Computer:       DC

> > Description:

> > Object Open:

> > Object Server:  Security

> > Object Type:    File

> > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-

> > F537-4423-

> > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

> > Handle ID:      -

> > Operation ID:   {0,81342299}

> > Process ID:     4

> > Image File Name:

> > Primary User Name:      DC$

> > Primary Domain: DOMAIN

> > Primary Logon ID:       (0x0,0x3E7)

> > Client User Name:       WORKSTATION$

> > Client Domain:  DOMAIN

> > Client Logon ID:        (0x0,0x4D92D17)

> > Accesses:       READ_CONTROL

> > ReadData (or ListDirectory)

> > WriteData (or AddFile)

> > AppendData (or AddSubdirectory or

> > CreatePipeInstance)

> > ReadEA

> > WriteEA

> > ReadAttributes

> > WriteAttributes

> > Privileges:     -

> > Restricted Sid Count:   0

> > Access Mask:    0x2019F

> > This is accompanied by failure audits for each separate logon script

> > (startup script in the case of computers, not users). The strange

> > thing is that the scripts still run no problem. I'm trying to figure

> > out why there are failures getting triggered if the logon/startup

> > scripts still run successfully. I checked the NTFS ACL on the

> > track_logon.bat referenced in the first event, and it has read and

> > read&execute allowed for "authenticated users".

>

> > Thanks if anyone can provide any more info.- Hide quoted text -

>

> - Show quoted text -

[Guest kcsteele]

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

 

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

 

bump

 

thanks

 

On Feb 29, 7:07 am, kcsteele <k.c.ste...@gmail.com> wrote:

> Also the domain was originally NT4 and then upgraded to 2003. Perhaps

> there is something lingering from the NT4 domain that is causing the

> failures audits to be triggered?

>

> On Feb 27, 8:50 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

>

>

>

> > Hello kcsteele,

>

> > You talk about the script. Is in the script an user account configured for

> > some reason?

>

> > Best regards

>

> > Meinolf Weber

> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> > no rights.

> > ** Please do NOT email, only reply to Newsgroups

> > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

>

> > > Hi, I'm getting failure audits in the security log of the PDC every

> > > time a user logs on or a computer refreshes computer policy:

>

> > > [uSER]

>

> > > Event Type:     Failure Audit

> > > Event Source:   Security

> > > Event Category: Object Access

> > > Event ID:       560

> > > Date:           2/26/2008

> > > Time:           7:12:15 AM

> > > User:           DOMAIN\User

> > > Computer:       DC

> > > Description:

> > > Object Open:

> > > Object Server:  Security

> > > Object Type:    File

> > > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-

> > > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat

> > > Handle ID:      -

> > > Operation ID:   {0,81314006}

> > > Process ID:     4

> > > Image File Name:

> > > Primary User Name:      DC$

> > > Primary Domain: DOMAIN

> > > Primary Logon ID:       (0x0,0x3E7)

> > > Client User Name:       user

> > > Client Domain:  DOMAIN

> > > Client Logon ID:        (0x0,0x4D8BED6)

> > > Accesses:       READ_CONTROL

> > > ReadData (or ListDirectory)

> > > WriteData (or AddFile)

> > > AppendData (or AddSubdirectory or

> > > CreatePipeInstance)

> > > ReadEA

> > > WriteEA

> > > ReadAttributes

> > > WriteAttributes

> > > Privileges:     -

> > > Restricted Sid Count:   0

> > > Access Mask:    0x2019F

> > > [COMPUTER]

>

> > > Event Type:     Failure Audit

> > > Event Source:   Security

> > > Event Category: Object Access

> > > Event ID:       560

> > > Date:           2/26/2008

> > > Time:           7:14:28 AM

> > > User:           DOMAIN\WORKSTATION$

> > > Computer:       DC

> > > Description:

> > > Object Open:

> > > Object Server:  Security

> > > Object Type:    File

> > > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-

> > > F537-4423-

> > > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

> > > Handle ID:      -

> > > Operation ID:   {0,81342299}

> > > Process ID:     4

> > > Image File Name:

> > > Primary User Name:      DC$

> > > Primary Domain: DOMAIN

> > > Primary Logon ID:       (0x0,0x3E7)

> > > Client User Name:       WORKSTATION$

> > > Client Domain:  DOMAIN

> > > Client Logon ID:        (0x0,0x4D92D17)

> > > Accesses:       READ_CONTROL

> > > ReadData (or ListDirectory)

> > > WriteData (or AddFile)

> > > AppendData (or AddSubdirectory or

> > > CreatePipeInstance)

> > > ReadEA

> > > WriteEA

> > > ReadAttributes

> > > WriteAttributes

> > > Privileges:     -

> > > Restricted Sid Count:   0

> > > Access Mask:    0x2019F

> > > This is accompanied by failure audits for each separate logon script

> > > (startup script in the case of computers, not users). The strange

> > > thing is that the scripts still run no problem. I'm trying to figure

> > > out why there are failures getting triggered if the logon/startup

> > > scripts still run successfully. I checked the NTFS ACL on the

> > > track_logon.bat referenced in the first event, and it has read and

> > > read&execute allowed for "authenticated users".

>

> > > Thanks if anyone can provide any more info.- Hide quoted text -

>

> > - Show quoted text -- Hide quoted text -

>

> - Show quoted text -

[Guest kcsteele]

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

 

Re: Failure audits for object access on logon scripts and startupscripts, but clients still run them fine.

 

On Mar 4, 7:53 am, kcsteele <k.c.ste...@gmail.com> wrote:

> bump

>

> thanks

>

> On Feb 29, 7:07 am, kcsteele <k.c.ste...@gmail.com> wrote:

>

>

>

> > Also the domain was originally NT4 and then upgraded to 2003. Perhaps

> > there is something lingering from the NT4 domain that is causing the

> > failures audits to be triggered?

>

> > On Feb 27, 8:50 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

>

> > > Hello kcsteele,

>

> > > You talk about the script. Is in the script an user account configured for

> > > some reason?

>

> > > Best regards

>

> > > Meinolf Weber

> > > Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> > > no rights.

> > > ** Please do NOT email, only reply to Newsgroups

> > > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

>

> > > > Hi, I'm getting failure audits in the security log of the PDC every

> > > > time a user logs on or a computer refreshes computer policy:

>

> > > > [uSER]

>

> > > > Event Type:     Failure Audit

> > > > Event Source:   Security

> > > > Event Category: Object Access

> > > > Event ID:       560

> > > > Date:           2/26/2008

> > > > Time:           7:12:15 AM

> > > > User:           DOMAIN\User

> > > > Computer:       DC

> > > > Description:

> > > > Object Open:

> > > > Object Server:  Security

> > > > Object Type:    File

> > > > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-

> > > > FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat

> > > > Handle ID:      -

> > > > Operation ID:   {0,81314006}

> > > > Process ID:     4

> > > > Image File Name:

> > > > Primary User Name:      DC$

> > > > Primary Domain: DOMAIN

> > > > Primary Logon ID:       (0x0,0x3E7)

> > > > Client User Name:       user

> > > > Client Domain:  DOMAIN

> > > > Client Logon ID:        (0x0,0x4D8BED6)

> > > > Accesses:       READ_CONTROL

> > > > ReadData (or ListDirectory)

> > > > WriteData (or AddFile)

> > > > AppendData (or AddSubdirectory or

> > > > CreatePipeInstance)

> > > > ReadEA

> > > > WriteEA

> > > > ReadAttributes

> > > > WriteAttributes

> > > > Privileges:     -

> > > > Restricted Sid Count:   0

> > > > Access Mask:    0x2019F

> > > > [COMPUTER]

>

> > > > Event Type:     Failure Audit

> > > > Event Source:   Security

> > > > Event Category: Object Access

> > > > Event ID:       560

> > > > Date:           2/26/2008

> > > > Time:           7:14:28 AM

> > > > User:           DOMAIN\WORKSTATION$

> > > > Computer:       DC

> > > > Description:

> > > > Object Open:

> > > > Object Server:  Security

> > > > Object Type:    File

> > > > Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-

> > > > F537-4423-

> > > > A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

> > > > Handle ID:      -

> > > > Operation ID:   {0,81342299}

> > > > Process ID:     4

> > > > Image File Name:

> > > > Primary User Name:      DC$

> > > > Primary Domain: DOMAIN

> > > > Primary Logon ID:       (0x0,0x3E7)

> > > > Client User Name:       WORKSTATION$

> > > > Client Domain:  DOMAIN

> > > > Client Logon ID:        (0x0,0x4D92D17)

> > > > Accesses:       READ_CONTROL

> > > > ReadData (or ListDirectory)

> > > > WriteData (or AddFile)

> > > > AppendData (or AddSubdirectory or

> > > > CreatePipeInstance)

> > > > ReadEA

> > > > WriteEA

> > > > ReadAttributes

> > > > WriteAttributes

> > > > Privileges:     -

> > > > Restricted Sid Count:   0

> > > > Access Mask:    0x2019F

> > > > This is accompanied by failure audits for each separate logon script

> > > > (startup script in the case of computers, not users). The strange

> > > > thing is that the scripts still run no problem. I'm trying to figure

> > > > out why there are failures getting triggered if the logon/startup

> > > > scripts still run successfully. I checked the NTFS ACL on the

> > > > track_logon.bat referenced in the first event, and it has read and

> > > > read&execute allowed for "authenticated users".

>

> > > > Thanks if anyone can provide any more info.- Hide quoted text -

>

> > > - Show quoted text -- Hide quoted text -

>

> > - Show quoted text -- Hide quoted text -

>

> - Show quoted text -

 

bump