none
Object Access event log - how to check default ACL on windows server 2003 - event id: 562

    Question

  • Masters,

    I need to enable directory auditing on windows server 2003 to a specific directory.

    So first of all i set in the Defaul Domain Controller Policy / Security / Local / Audit / Object access audit (both success and failur)

    So, auditing my directory work well, but unfortunatelly the event log is full with:

        Source: Security, EventID 562; Microsoft Exchange, C:\Program Files\Exchsrv\bin\store.exe

        So, i check this file properties (security-->advanced ---> audit) but nothing audit specific properties set for this file.

        How can i check which file have this settings? Any list where i can check? How to turn off Object Aceess auditing to this file? (my event log is unmanageable 'coz full of with this message..)

    Thank you.

    Thursday, February 09, 2012 8:28 AM

All replies

  • Hello,

    Maybe the audit scope is too broad. C:\Program Files\Exchsrv\bin\store.exe seems to be related to Exchange Service (Not sure, post on Exchange forum for more information). You might consider not to audit application files as they are accessed very often.

    Here is the Microsoft KB talking about this:

    Event IDs 560 and 562 appear many times in the security event log
    http://support.microsoft.com/kb/841001

    Please also check this:

    Event ID: 562 Source: Security
    http://www.eventid.net/display.asp?eventid=562&eventno=196&source=Security&phase=1


    Thanks
    ZHANG

    Friday, February 10, 2012 5:01 AM
    Moderator
  • I try several things:

       - Audit the access of global system objects is disabled under Local Policy

       - i checked the auditing setting on store.exe - try to set auditing to SYSTEM with TAKE OWNERSHIP option, maybee than stop other auditing.. -

      Found this: http://technet.microsoft.com/en-us/library/cc957089.aspx ; but i dont know how to disalbe this logging.

      I try to find a way how to list all SACL which is set up already.

    "You might consider not to audit application files as they are accessed very often." - how to do this? I only set auditing to one of my folder (and subfolders). I don't want to auditing any other application/dir/etc...

    The microsoft address what you suggest tell this:

    "These events appear if you have not configured the security access control list (SACL) on the object that you are auditing. The events also appear if you have configured the SACL, but not for all the listed accesses. For example, these events are logged when a user or a program reads a registry subkey, and you have not selected the Read Control or the Query Value check box in the auditing entry for that registry subkey. "

    I don't really understand what should this mean...

    Friday, February 10, 2012 9:34 AM