none
Failure audits in Event logs

    Diskusi Umum

  • Hi,

    My security logs on 2008 R2 DCs are full of the following failure audits:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          7/1/2011 8:51:00 AM
    Event ID:      4662
    Task Category: Directory Service Access
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      dc1.microsoft.msft
    Description:
    An operation was performed on an object.

    Subject :
        Security ID:        DOMAIN\USERCOMPUTER$
        Account Name:        USERCOMPUTER$
        Account Domain:       DOMAIN
        Logon ID:        0x3d71bc79

    Object:
        Object Server:        DS
        Object Type:        computer
        Object Name:        CN=USERCOMPUTER,OU=xxx,OU=xxx,OU=xxx,DC=microsoft,DC=msft
        Handle ID:        0x0

    Operation:
        Operation Type:        Object Access
        Accesses:        Control Access
                   
        Access Mask:        0x100
        Properties:        ---
            {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
                {aa4e1a6d-550d-4e05-8c35-4afcb917a9fe}
        {bf967a86-0de6-11d0-a285-00aa003049e2}


    Additional Information:
        Parameter 1:        -
        Parameter 2:       

    I want to get rid my logs from a huge amount of such events. It seems that all of our machines cause such an events. How to troubleshoot such an events? Thanks.

    • Jenis yang Diubah Bruce-Liu 29 Juli 2011 7:34
    01 Juli 2011 6:13

Semua Balasan

  • This auditing is new to 2008.  You have a good amount of control over what gets logged.  Have a look at this TechNet article for some details and options:

    http://technet.microsoft.com/en-us/library/cc731764(WS.10).aspx

     

    Otherwise, you may want to consider creating a custom view in the Event Log.  That way, you can maintain as much information as possible in your logs but only see what you want to based on the given situation.  You can create a custom view that only displays Critical or Error events.

     

    Brian

    • Disarankan sebagai Jawaban oleh Brian Svidergol 01 Juli 2011 16:59
    • Saran Jawaban dibatalkan oleh Rimvydas 04 Juli 2011 13:24
    01 Juli 2011 16:38
  • I don't understand your answer. Why do I need to create custom views. I can view these events and without any custom views. I see that these events are generated almost from all of my clients. Events are identical with id 4662. I only want to find out what exactly operation from the clients does cause such events as I want to eliminate them. What exactly client wants to do in AD?
    04 Juli 2011 13:24
  • From the link I sent, the first couple of sentences sum it up:  "The global audit policy Audit directory service access controls whether auditing for directory service events is enabled or disabled. This security setting determines whether events are logged in the Security log when certain operations are carried out on objects in the directory. You can control what operations to audit by modifying the system access control list (SACL) on an object.".  You should review your auditing settings and make adjustments to suit the organization's requirements.

    In your case, you want to get rid of the logs because they represent a huge amount of events.  You have two options - use a custom view (so that you are not seeing them to begin with) or modify your audit settings so that less information is being logged.  I typically recommend to maintain as much logging as possible and use custom views to get rid of the "noise".  In the case of a serious event (such as a security incident), it is nice to have as much logging as possible.  But, you can certainly turn down the auditing instead. 

    Hope this clears it up.

    Brian

    06 Juli 2011 6:08
  • Brian,

     

    I think that you didn't understand me. I do not want to remove these log entries from appearing in the logs on DC. I know how to do that very well. My problem is that as I said before - these huge ammount of entries are identical and generated from all of my clients. So I wanted to ask for a help how tu troubleshoot such an entry I posted earlier. I wanted to find a cause of this entry appearance in logs on dc (access rights, something else). I'll repeat - I do not want to disable such failure audits via gpo.

    11 Juli 2011 9:43
  • Sorry about the confusion. Sometimes it can be tough trying to understand each other via forum posts! I haven't run into many failure audits for 4662, unfortunately. These are commonly seen as success audits even when there appears to be no activity. For example, in one of my environments, I have a number of 4662 success audits in the middle of the night for a virtual machine that hasn't been used in days (although it is powered on and functioning). I attempted to reproduce some 4662 failure audits by taking a few actions but wasn't able to generate any. In another environment that I checked, I have over 35,000 success audits on 4662 and not a single failure audit. So I can't come up with much to help in troubleshooting these events. Hopefully somebody else has a bit of insight.

     

    Brian

    12 Juli 2011 21:09
  • I never saw these Audit Failure errors either until recent patching including SP1, so maybe it was introduced then. I also don't see enough details to know what failed, but it's not really a failure it's logged when any property is accessed. This site was real helpful http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4662.
    • Diedit oleh kenrury 28 Oktober 2011 20:56
    28 Oktober 2011 20:25
  • Has anyone been able to find more information about this?  The way that the audit failure log reads is as if the machine accounts are trying to making changes to an object in AD and are getting denied access.  If everything is working ok, then why would the machine accounts be trying to make unauthorized changes in AD.
    27 September 2012 11:25