I'm now logging object access for folders on my file server. I've noticed an abundance of false positives showing up as failure audits. Here is an example of what show up.
Code:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 9/17/2007
Time: 3:00:49 PM
User: [domain]\milp
Computer: BRAVO
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\DATA\milp\PROCLAMATIONS\Words Alive Day Nov 10, 2007.doc
Handle ID: -
Operation ID: {0,45270967}
Process ID: 4
Image File Name:
Primary User Name: BRAVO$
Primary Domain: [domain]
Primary Logon ID: (0x0,0x3E7)
Client User Name: milp
Client Domain: [domain]
Client Logon ID: (0x0,0x2A3DD0B)
Accesses: DELETE
READ_CONTROL
ACCESS_SYS_SEC
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x1030089
For more information, see Help and Support Center at [URL unfurl="true"]http://go.microsoft.com/fwlink/events.asp.[/URL]