|
Posted by Steven L Umbach on October 9, 2005, 10:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
I have seen that if a user tries to run something that requires
administrator privileges and he is not an administrator. For instance if
user jlass had tried to run secpol.msc which is Local Security Policy he
would be denied access if he was not an administrator and that object access
failure event would be recorded [try it and see] though the process ID
would depend on exactly what he was being denied access to. To find the
process ID [other than checking Task Manager - doubtful it will be there]
you could enable auditing of process tracking or it may be recorded in other
object access events. To make it easier to find it use Event Comb [free from
MS] and search the computer security logs for the text string 388 to see if
anything is found. If any events are found they should show the path to the
executable for the process which then may help you in trying to find out
what the users was trying to do. In my case the process was for mmc.exe
indicating that the user tried to access a mmc snapin of which Local
Security Policy is one. I would not worry too much if it is an isolated
event and everything seems to function correctly. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 -- Event
Comb
> What does this event mean? Thanks, ChrisW.
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
>
> Description:
> Object Open:
> Object Server: SC Manager
> Object Type: SC_MANAGER OBJECT
> Object Name: ServicesActive
> New Handle ID: -
> Operation ID:
> Process ID: 388
> Primary User Name: MF14$
> Primary Domain: MCMCITRIX
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: jlass
> Client Domain: MCMCITRIX
> Client Logon ID: (0x0,0x2C7D6FA)
> Accesses DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> Connect to service controller
> Create a new service
> Enumerate services
> Lock service database for exclusive access
> Query service database lock state
> Set last-known-good state of service database
>
> Privileges -
>
| 
XML site map