Failure audits in Event logs

    Diskusi Umum

  • Hi,

    My security logs on 2008 R2 DCs are full of the following failure audits:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          7/1/2011 8:51:00 AM
    Event ID:      4662
    Task Category: Directory Service Access
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    An operation was performed on an object.

    Subject :
        Security ID:        DOMAIN\USERCOMPUTER$
        Account Name:        USERCOMPUTER$
        Account Domain:       DOMAIN
        Logon ID:        0x3d71bc79

        Object Server:        DS
        Object Type:        computer
        Object Name:        CN=USERCOMPUTER,OU=xxx,OU=xxx,OU=xxx,DC=microsoft,DC=msft
        Handle ID:        0x0

        Operation Type:        Object Access
        Accesses:        Control Access
        Access Mask:        0x100
        Properties:        ---

    Additional Information:
        Parameter 1:        -
        Parameter 2:       

    I want to get rid my logs from a huge amount of such events. It seems that all of our machines cause such an events. How to troubleshoot such an events? Thanks.

    • Jenis yang Diubah Bruce-Liu 29 Juli 2011 7:34
    01 Juli 2011 6:13

Semua Balasan

  • This auditing is new to 2008.  You have a good amount of control over what gets logged.  Have a look at this TechNet article for some details and options:


    Otherwise, you may want to consider creating a custom view in the Event Log.  That way, you can maintain as much information as possible in your logs but only see what you want to based on the given situation.  You can create a custom view that only displays Critical or Error events.



    01 Juli 2011 16:38
  • I don't understand your answer. Why do I need to create custom views. I can view these events and without any custom views. I see that these events are generated almost from all of my clients. Events are identical with id 4662. I only want to find out what exactly operation from the clients does cause such events as I want to eliminate them. What exactly client wants to do in AD?
    04 Juli 2011 13:24
  • From the link I sent, the first couple of sentences sum it up:  "The global audit policy Audit directory service access controls whether auditing for directory service events is enabled or disabled. This security setting determines whether events are logged in the Security log when certain operations are carried out on objects in the directory. You can control what operations to audit by modifying the system access control list (SACL) on an object.".  You should review your auditing settings and make adjustments to suit the organization's requirements.

    In your case, you want to get rid of the logs because they represent a huge amount of events.  You have two options - use a custom view (so that you are not seeing them to begin with) or modify your audit settings so that less information is being logged.  I typically recommend to maintain as much logging as possible and use custom views to get rid of the "noise".  In the case of a serious event (such as a security incident), it is nice to have as much logging as possible.  But, you can certainly turn down the auditing instead. 

    Hope this clears it up.


    06 Juli 2011 6:08
  • Brian,


    I think that you didn't understand me. I do not want to remove these log entries from appearing in the logs on DC. I know how to do that very well. My problem is that as I said before - these huge ammount of entries are identical and generated from all of my clients. So I wanted to ask for a help how tu troubleshoot such an entry I posted earlier. I wanted to find a cause of this entry appearance in logs on dc (access rights, something else). I'll repeat - I do not want to disable such failure audits via gpo.

    11 Juli 2011 9:43
  • Sorry about the confusion. Sometimes it can be tough trying to understand each other via forum posts! I haven't run into many failure audits for 4662, unfortunately. These are commonly seen as success audits even when there appears to be no activity. For example, in one of my environments, I have a number of 4662 success audits in the middle of the night for a virtual machine that hasn't been used in days (although it is powered on and functioning). I attempted to reproduce some 4662 failure audits by taking a few actions but wasn't able to generate any. In another environment that I checked, I have over 35,000 success audits on 4662 and not a single failure audit. So I can't come up with much to help in troubleshooting these events. Hopefully somebody else has a bit of insight.



    12 Juli 2011 21:09
  • I never saw these Audit Failure errors either until recent patching including SP1, so maybe it was introduced then. I also don't see enough details to know what failed, but it's not really a failure it's logged when any property is accessed. This site was real helpful
    • Diedit oleh kenrury 28 Oktober 2011 20:56
    28 Oktober 2011 20:25
  • Has anyone been able to find more information about this?  The way that the audit failure log reads is as if the machine accounts are trying to making changes to an object in AD and are getting denied access.  If everything is working ok, then why would the machine accounts be trying to make unauthorized changes in AD.
    27 September 2012 11:25
  • Did you ever figure this out? I am seeing some similar issues with computer objects trying to access group objects and getting Audit Failures. Very similar.
    10 Februari 2016 17:39
  • Same issue here. It is trying to write a property that is a long guid. I suspect (at a cursory glance) that it's a machine checking into DHCP and trying to update it's dns information which in turn writes that back to AD.

    The path in my case for the object name is 


    Access is Write Property and Write Self

    Although most of my objects are computer names, I am also getting the same error on group memberships too.

    Turning off audit failures on Directory access seems a crazy and insecure method of fixing the issue.

    Running an ipconfig /registerdns on a server did not generate this alert.

    Granting Self Write access to this node within Adsiedit did not seem to make any difference.

    No objects that I see have Write denied.

    13 Mei 2016 18:36
  • As a follow up, I also get an error show up when certain users login. The operation is below and I get an event for each group that the user is a member of. I checked and the user isn't disabled or locked out.

     operation was performed on an object.

    Subject :
    Security ID: bob\steve
    Account Name: steve
    Account Domain: bob
    Logon ID: 0x7D7229B7

    Object Server: DS
    Object Type: group
    Object Name: CN=bob,OU=Distribution Groups,OU=Delegated,OU=bob,OU=bob,DC=bob,DC=pri
    Handle ID: 0x0

    Operation Type: Object Access
    Accesses: Control Access

    Access Mask: 0x100
    Properties: ---

    Additional Information:
    Parameter 1: -
    Parameter 2:

    25 Mei 2016 15:26