M
Mygposts
We have deployed several laptops with a Microsoft SteadyState GPO and
restricted users from saving anything to the local drive.
This is working fine for everyone except the few users who needed to have
wireless USB NICs added to the laptops.
We logged in with our administrator accounts to install the NIC drivers and
vendor software and they are able to log in and successfully connect to the
wireless with their limited user accounts.
Within a few weeks they can no longer log in because their security logs
have grown to over 250MBs and they get a message saying they cannot log in
until the logs are cleared. They do not have rights to clear the logs
themselves and will not be granted those rights, so they have to come in and
have us clear it for them.
The event logs fill with Event 560 several times a second. Sometimes 4
events time stamped with the same time down to the second.
The event says:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/27/2009
Time: 9:52:28 PM
User: S-1-5-21-1635994856-3625636839-4110126995-1601
Computer: JohnLaptop
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,21101683}
Process ID: 1316
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: JohnLaptop$
Primary Domain: homedomain
Primary Logon ID: (0x0,0x3E7)
Client User Name: jsmith
Client Domain: homedomain
Client Logon ID: (0x0,0x1FDCB)
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Connect to service controller
Create a new service
Enumerate services
Lock service database for exclusive access
Query service database lock state
Set last-known-good state of service database
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Users who log in as an administrator do not get these events.
Is there some way to prevent these failure events from occuring without
granting these users admin rights or turning off auditing?
restricted users from saving anything to the local drive.
This is working fine for everyone except the few users who needed to have
wireless USB NICs added to the laptops.
We logged in with our administrator accounts to install the NIC drivers and
vendor software and they are able to log in and successfully connect to the
wireless with their limited user accounts.
Within a few weeks they can no longer log in because their security logs
have grown to over 250MBs and they get a message saying they cannot log in
until the logs are cleared. They do not have rights to clear the logs
themselves and will not be granted those rights, so they have to come in and
have us clear it for them.
The event logs fill with Event 560 several times a second. Sometimes 4
events time stamped with the same time down to the second.
The event says:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/27/2009
Time: 9:52:28 PM
User: S-1-5-21-1635994856-3625636839-4110126995-1601
Computer: JohnLaptop
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,21101683}
Process ID: 1316
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: JohnLaptop$
Primary Domain: homedomain
Primary Logon ID: (0x0,0x3E7)
Client User Name: jsmith
Client Domain: homedomain
Client Logon ID: (0x0,0x1FDCB)
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Connect to service controller
Create a new service
Enumerate services
Lock service database for exclusive access
Query service database lock state
Set last-known-good state of service database
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Users who log in as an administrator do not get these events.
Is there some way to prevent these failure events from occuring without
granting these users admin rights or turning off auditing?