duplicate eventID 560?



chieko
07-09-2005, 11:52 PM
Hi
Thank you for taking the time to read my question.
I am using a winXP machine to audit folder access on it and when a user who
does not have permission to view a certain folder but they try to anyway, the
security log contains about 15 -20 eventID records of the denied access; all
seem to be duplicated except for the process ID number. Does anyone know how
to eliminate the duplication or which records should be given attention?
Thanks,
Chieko

Steven L Umbach
07-09-2005, 11:52 PM
Unfortunately not. Object access will generate a ton of events in the
security log. When you configure auditing of a folder be sure to audit the
bare number of permissions that you want to track instead of all of them. I
find the free tool Event Comb from Microsoft can be very helpful in
searching security logs on one or multiple computers. It also allows for
text string search which allows you to enter a user name, file name,
delete, etc. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308471


"chieko" <chieko@discussions.microsoft.com> wrote in message
news:3EC12D65-B389-47DF-8C95-460157FFA505@microsoft.com...
> Hi
> Thank you for taking the time to read my question.
> I am using a winXP machine to audit folder access on it and when a user
> who
> does not have permission to view a certain folder but they try to anyway,
> the
> security log contains about 15 -20 eventID records of the denied access;
> all
> seem to be duplicated except for the process ID number. Does anyone know
> how
> to eliminate the duplication or which records should be given attention?
> Thanks,
> Chieko

Steven L Umbach
07-09-2005, 11:52 PM
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eU%23TG2jYFHA.1412@TK2MSFTNGP12.phx.gbl...
> Unfortunately not. Object access will generate a ton of events in the
> security log. When you configure auditing of a folder be sure to audit the
> bare number of permissions that you want to track instead of all of them.
> I find the free tool Event Comb from Microsoft can be very helpful in
> searching security logs on one or multiple computers. It also allows for
> text string search which allows you to enter a user name, file name,
> delete, etc. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;308471
>
>
> "chieko" <chieko@discussions.microsoft.com> wrote in message
> news:3EC12D65-B389-47DF-8C95-460157FFA505@microsoft.com...
>> Hi
>> Thank you for taking the time to read my question.
>> I am using a winXP machine to audit folder access on it and when a user
>> who
>> does not have permission to view a certain folder but they try to anyway,
>> the
>> security log contains about 15 -20 eventID records of the denied access;
>> all
>> seem to be duplicated except for the process ID number. Does anyone know
>> how
>> to eliminate the duplication or which records should be given attention?
>> Thanks,
>> Chieko
>
>

Steven L Umbach
07-09-2005, 11:52 PM
I forgot to add that avoid auditing the everyone and authenticated users
group. Instead use the users group or your own group that contains the users
you want to monitor. --- Steve


"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eU%23TG2jYFHA.1412@TK2MSFTNGP12.phx.gbl...
> Unfortunately not. Object access will generate a ton of events in the
> security log. When you configure auditing of a folder be sure to audit the
> bare number of permissions that you want to track instead of all of them.
> I find the free tool Event Comb from Microsoft can be very helpful in
> searching security logs on one or multiple computers. It also allows for
> text string search which allows you to enter a user name, file name,
> delete, etc. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;308471
>
>
> "chieko" <chieko@discussions.microsoft.com> wrote in message
> news:3EC12D65-B389-47DF-8C95-460157FFA505@microsoft.com...
>> Hi
>> Thank you for taking the time to read my question.
>> I am using a winXP machine to audit folder access on it and when a user
>> who
>> does not have permission to view a certain folder but they try to anyway,
>> the
>> security log contains about 15 -20 eventID records of the denied access;
>> all
>> seem to be duplicated except for the process ID number. Does anyone know
>> how
>> to eliminate the duplication or which records should be given attention?
>> Thanks,
>> Chieko
>
>


duplicate eventID 560?