No announcement yet.

Auditing Object Access in Windows 2003 R2

  • Filter
  • Time
  • Show
Clear All
new posts

  • Auditing Object Access in Windows 2003 R2


    I recently noticed a very strange thing with object auditing. I did a clean install of a 2003 R2 server (Standard Edition, SP1) and enabled audit object access, audit account logon and audit logon options in local security policy. I did not enable auditing of any specific object in Windows. Now I get a bunch of 560 and 562 events in security log. Objects accessed are either registry keys or mmc.exe in Windows\System32\ folder. I also have a bunch of events with ID 566 which track access to \policy\Secrets\MachineAcc by NT Authority\Local Service. I tried solution listed under kb 835398 but no luck. Is there any way to turn off logging of these events without turning entire object auditing off?