JSI Tip 8679. Event IDs 560 and 562 appear many times in the security event log?

Jerold Schulman

November 11, 2004

1 Min Read
ITPro Today logo in a gray background | ITPro Today


Microsoft Knowledge Base Article 841001 describes the following symptoms:

After you configure Group Policy or Local Security Policy to audit access to an object, many events that are similar to the following events appear in the security event log:
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: date
Time: time
Type: Success
User: EXAMPLEusername
Computer: computer_name
Description:
Object Open:
Object Server: Security
Object Type: Object_Type
Object Name: Object_Type
New Handle ID: 104
Operation ID: {0,252360}
Process ID: 1156
Primary User Name: username
Primary Domain: EXAMPLE
Primary Logon ID: (logon_ID)
Client User Name:
Client Domain:
Client Logon ID:
Accesses

Privileges

Event Source: Security
Event Category: Object Access
Event ID: 562
Date: date
Time: time
Type: Success
User: EXAMPLEusername
Computer: computer_name
Description:
Handle Closed:
Object Server: Security
Handle ID: 104
Process ID: 1156
These events appear if you have not configured the security access control list (SACL) on the object that you are auditing. The events also appear if you have configured the SACL, but not for all the listed accesses. For example, these events are logged when a user or a program reads a registry subkey, and you have not selected the Read Control or the Query Value check box in the auditing entry for that registry subkey.

Note For additional information about how to configure auditing, see the "More Information" section.



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like