Article ID: 841001 - View products that this article applies to.
After you configure Group Policy or Local Security Policy to audit access to an object, many events that are similar to the following events appear in the security event log:
Event Source: Security
Event Source: Security
These events appear if you have not configured the security access control list (SACL) on the object that you are auditing. The events also appear if you have configured the SACL, but not for all the listed accesses. For example, these events are logged when a user or a program reads a registry subkey, and you have not selected the Read Control or the Query Value check box in the auditing entry for that registry subkey.
Note For additional information about how to configure auditing, see the "More Information" section.
This issue may occur if one of the following conditions is true:
To resolve this issue, use one of the following methods:
Method 1Disable the Audit the access of global system objects Local Security Policy setting if you have previously enabled this setting. To do this, follow these steps:
Method 2Use the ADSI Edit snap-in to remove the auditing entries on the SACL for a SAM object if you have enabled auditing on a domain controller. To do this, follow these steps.
Note The ADSI Edit snap-in is located in the Support folder on the Windows 2000 installation CD-ROM.
Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
Method 3Configure the custom application to open audited objects only as required. For example, configure the custom application to request only the minimum access that is required. If the custom application requires only read access for a specific object, assign only read access. In this case, full control access is not required.
Windows 2000 implements auditing based on the access that is requested by a user or by a program. If a user or a program accesses an object by using an account that has an auditable level of access to the object, Windows generates the corresponding audit event. For example, if you configure a program with write access to an object, and you have configured auditing for write events, a write audit event is generated when that program accesses the object. This behavior occurs even if the program does not perform a write operation to a registry subkey. In this scenario, this audit event is generated because the program has the potential to write to the object.
Windows implements this auditing method to maintain compliance with the Common Criteria certification standards and, previously, the C2 certification standards. For additional information about C2 audit requirements, see A Guide to Understanding Audit in Trusted Systems. To see this guide, visit the following Web page:
http://www.fas.org/irp/nsa/rainbow/tg001.htm"Section 6.1.1 Auditable Events" in this guide contains the following two auditable events:
For additional information about the Common Criteria certification standards, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc700818.aspxFor additional information about how to audit registry keys, click the following article number to view the article in the Microsoft Knowledge Base:
315416For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/315416/ )How to use Group Policy to audit registry keys in Windows 2000
(http://support.microsoft.com/kb/816915/ )New file naming schema for Microsoft Windows software update packages
824684Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates
Article ID: 841001 - Last Review: March 27, 2007 - Revision: 2.6