JSI Tip 8679. Event IDs 560 and 562 appear many times in the security event log?
November 11, 2004
Microsoft Knowledge Base Article 841001 describes the following symptoms:
After you configure Group Policy or Local Security Policy to audit access to an object, many events that are similar to the following events appear in the security event log:
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: date
Time: time
Type: Success
User: EXAMPLEusername
Computer: computer_name
Description:
Object Open:
Object Server: Security
Object Type: Object_Type
Object Name: Object_Type
New Handle ID: 104
Operation ID: {0,252360}
Process ID: 1156
Primary User Name: username
Primary Domain: EXAMPLE
Primary Logon ID: (logon_ID)
Client User Name:
Client Domain:
Client Logon ID:
Accesses
Privileges
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: date
Time: time
Type: Success
User: EXAMPLEusername
Computer: computer_name
Description:
Handle Closed:
Object Server: Security
Handle ID: 104
Process ID: 1156
These events appear if you have not configured the security access control list (SACL) on the object that you are auditing. The events also appear if you have configured the SACL, but not for all the listed accesses. For example, these events are logged when a user or a program reads a registry subkey, and you have not selected the Read Control or the Query Value check box in the auditing entry for that registry subkey.
Note For additional information about how to configure auditing, see the "More Information" section.
About the Author
You May Also Like