Failure audits for object access on logon scripts and startup scripts, but clien

Giganews Newsgroups
Subject: Failure audits for object access on logon scripts and startup scripts, but clien
Posted by:  kcsteele (k.c.stee…@gmail.com)
Date: Tue, 26 Feb 2008

Hi, I'm getting failure audits in the security log of the PDC every
time a user logs on or a computer refreshes computer policy:

[USER]

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        2/26/2008
Time:        7:12:15 AM
User:        DOMAIN\User
Computer:    DC
Description:
Object Open:
    Object Server:    Security
    Object Type:    File
    Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{0315E207-
FA91-4913-8FE8-A2E4832A1BA7}\User\Scripts\Logon\track_logon.bat
    Handle ID:    -
    Operation ID:    {0,81314006}
    Process ID:    4
    Image File Name:
    Primary User Name:    DC$
    Primary Domain:    DOMAIN
    Primary Logon ID:    (0x0,0x3E7)
    Client User Name:    user
    Client Domain:    DOMAIN
    Client Logon ID:    (0x0,0x4D8BED6)
    Accesses:    READ_CONTROL
            ReadData (or ListDirectory)
            WriteData (or AddFile)
            AppendData (or AddSubdirectory or CreatePipeInstance)
            ReadEA
            WriteEA
            ReadAttributes
            WriteAttributes

    Privileges:    -
    Restricted Sid Count:    0
    Access Mask:    0x2019F

[COMPUTER]

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        2/26/2008
Time:        7:14:28 AM
User:        DOMAIN\WORKSTATION$
Computer:    DC
Description:
Object Open:
    Object Server:    Security
    Object Type:    File
    Object Name:    C:\WINDOWS\SYSVOL\domain\Policies\{DFBF9311-F537-4423-
A1D6-D225FC445774}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
    Handle ID:    -
    Operation ID:    {0,81342299}
    Process ID:    4
    Image File Name:
    Primary User Name:    DC$
    Primary Domain:    DOMAIN
    Primary Logon ID:    (0x0,0x3E7)
    Client User Name:    WORKSTATION$
    Client Domain:    DOMAIN
    Client Logon ID:    (0x0,0x4D92D17)
    Accesses:    READ_CONTROL
            ReadData (or ListDirectory)
            WriteData (or AddFile)
            AppendData (or AddSubdirectory or CreatePipeInstance)
            ReadEA
            WriteEA
            ReadAttributes
            WriteAttributes

    Privileges:    -
    Restricted Sid Count:    0
    Access Mask:    0x2019F

This is accompanied by failure audits for each separate logon script
(startup script in the case of computers, not users). The strange
thing is that the scripts still run no problem. I'm trying to figure
out why there are failures getting triggered if the logon/startup
scripts still run successfully. I checked the NTFS ACL on the
track_logon.bat referenced in the first event, and it has read and
read&execute allowed for "authenticated users".

Thanks if anyone can provide any more info.

Replies