Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Auditing Failed Object Access attempts

Status
Not open for further replies.
melfineo

melfineo

IS-IT--Management
Feb 19, 2008
83
FR
On a users folder I have auditing set to log failed list folder read data object access attemps so I can see who is attempting to access this folder. This seems to be working but for some reason certain files within the folder are being flagged when the actual user accesses them even though she has full control of the files and opens them no problem. Event as below, why would this be?

Accesses: DELETE
READ_CONTROL
ACCESS_SYS_SEC
ReadData (or ListDirectory)
ReadEA
ReadAttributes

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x1030089



 
Sort by date Sort by votes
Could it be applications doing stuff without her intervention?
 
Upvote 0 Downvote
The entry shows under the users logon name. Creator owner and system have full control of the folder also. What could be causing the entry, in terms of applications, some of the files that seem to be causing it are excel and word docs.
 
Upvote 0 Downvote
Would it be possible for a user who is denied access to unknowingly cause the below event in the event log at several different times over 2 days without physically trying to open that particular folder?

Accesses: ReadData (or ListDirectory)

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x1
 
Upvote 0 Downvote
I have found my own answer, and doing a search for a doc on the same drive would cause it so this leads to my next question which is can it be tweaked to ignore messages produced by searches?

 
Upvote 0 Downvote
Any thoughts on how to stop searches showing up as failed access attempts?

 
Upvote 0 Downvote
I have not been able to find out how to stop searches showing up as a denied event but they are recognisable as there will be a cluster together under the same name.

I've not got to the bottom of why the owner of the folder is showing up as access denied when they have full access either. Has anyone been in a similar situation before?
 
Upvote 0 Downvote
Hi out there,

i have exact the same problem.

Ihis happens only with Office 2003 Documents (doc and xls in my case)
I have testet this with Office 2007 and Mac Office 2008. There are no such entry in the security Log

kind regrads from Vienna / Austria

Andreas
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
443
fightaccording
fightaccording
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
243
hairlessupportmonkey
hairlessupportmonkey
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
208
RRankin355
RRankin355
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
194
StevenFromSouth
StevenFromSouth
iCDT
  • Locked
  • Question
Remote Desktop Web Access ( No application available)
Replies
2
Views
195
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top