Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

Audit Failure 4656 Errors on Server 2008 Domain Controller

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Networking & Security] >> GFI EventsManager >> Audit Failure 4656 Errors on Server 2008 Domain Controller Page: [1]
Login
Message << Older Topic   Newer Topic >>
Audit Failure 4656 Errors on Server 2008 Domain Controller - 21.Sep.2009 5:13:12 PM   
nptech

 

Posts: 1
Score: 0
Joined: 21.Sep.2009
Status: offline 		EventsManager 8.2.0 (20090302) on Server 2008 R2 Enterprise 64-bit.

When monitoring logs on a Windows Server 2008 ENT 64-bit domain controller, I receive a pile of 4656 "Audit Failure" errors after performing some routine tasks on the server (accessing DHCP / DNS management consoles, etc.). Tasks are performed when logged in as domain administrator, so it is now known why this is triggering an 'audit failure' warning.

GFI alert email subjects include:

Access refused to existing object - Critical -  <SERVERNAME> -  4656
Take ownership attempts based on object access events - Critical -  <SERVERNAME> -  4656

Contents of Windows Event Log:
--------------------------------------
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/21/2009 3:30:15 PM
Event ID:      4656
Task Category: File System
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      <SERVERNAME>
Description:
A handle to an object was requested.

Subject:
   Security ID:        <DOMAIN>\<userid>
   Account Name:        <userid>
   Account Domain:        <DOMAIN>
   Logon ID:        0xaae064a

Object:
   Object Server:        Security
   Object Type:        File
   Object Name:        C:\Windows\System32\dhcpmgmt.msc
   Handle ID:        0x0

Process Information:
   Process ID:        0xd50
   Process Name:        C:\Windows\System32\mmc.exe

Access Request Information:
   Transaction ID:        {00000000-0000-0000-0000-000000000000}
   Accesses:        READ_CONTROL
           SYNCHRONIZE
           WriteData (or AddFile)
           AppendData (or AddSubdirectory or CreatePipeInstance)
           WriteEA
           ReadAttributes
           WriteAttributes
          
   Access Mask:        0x120196
   Privileges Used for Access Check:    -
   Restricted SID Count:    0
--------------------------------------

I'm being flooded by these warnings after each time I log on to my domain controller for routine administrative tasks.

It seems that, even logged on as domain administrator these audit errors are being triggered. Any ideas? Anyone else experiecning the same problem?
Post #: 1
RE: Audit Failure 4656 Errors on Server 2008 Domain Con... - 22.Sep.2009 8:10:31 AM   
DrewE

 

Posts: 1058
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		What account is the GFI EventsManager service ussing for its logon rights? Often, the simplest answer here is to use a dedicated GFI service account, then add a noise filtering policy to ignore this user's failures for this specific event.

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to nptech)
Post #: 2
Page:   [1]
All Forums >> [Networking & Security] >> GFI EventsManager >> Audit Failure 4656 Errors on Server 2008 Domain Controller Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts