These events appear if you have not configured the security access control list (SACL) on the object that you are auditing. The events also appear if you have configured the SACL, but not for all the listed accesses. For example, these events are logged when a user or a program reads a registry subkey, and you have not selected the Read Control or the Query Value check box in the auditing entry for that registry subkey.
Note For additional information about how to configure auditing, see the "More Information" section.
- You enable the Audit the access of global system objects Local Security Policy setting. If you enable this setting, many audit events will be generated. These events will typically be source security events with Event ID 560, where the object type is event, mutant, process, section, semaphore, thread, or token. These events are of interest only to a system developer. Typically, the Audit the access of global system objects Local Security Policy setting is not enabled.
- You enable auditing on a domain controller. When you enable auditing on a domain controller, audit events will be generated that typically contain references to the following object types:
- You use an application that opens audited objects too frequently or that opens audited objects with greater access than the application requires. For example, the application may request full control access when the application requires only read access. When this behavior occurs, events may be generated where the referenced process is always the same application.
Method 1Disable the Audit the access of global system objects Local Security Policy setting if you have previously enabled this setting. To do this, follow these steps:
- Click Start, click Run, type gpedit.msc, and then click OK.
- Locate the following entry: Console Root\Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
- Double-click the Audit the access of global system objects policy, click Disabled under Local Policy, and then click OK.
- On the Console menu, click Exit, and then restart the computer.
Method 2Use the ADSI Edit snap-in to remove the auditing entries on the SACL for a SAM object if you have enabled auditing on a domain controller. To do this, follow these steps.
Note The ADSI Edit snap-in is located in the Support folder on the Windows 2000 installation CD-ROM.
Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
- Log on to the domain controller by using an account that has Domain Administrator permissions.
- Click Start, click Run, type adsiedit.msc, and then click OK.
- In the ADSI Edit management console, right-click ADSI Edit, and then click Connect to.
- In the Connection dialog box, make sure that the Distinguished Name option is selected, and then type the following in the Distinguished Name field:CN=Server,CN=System,DC=Domain_Name,DC=Domain_Extensionaceholder throughout these steps.
- Select the Default (Domain or Server that you logged in to) option, and then click OK.
- In the ADSI Edit management console, right-click the CN=Server,CN=System,DC=Domain_Name,DC=Domain_Extension folder, and then click Properties.
- In the CN=Server,CN=System,DC=Domain_Name,DC=Domain_Extension Properties dialog box, click the Security tab.
- Click Advanced, and then click the Auditing tab.
- Click to clear the Allow inheritable auditing entries from parent to propagate to this object check box.
- When you are prompted with the following message, click Remove.
- Click OK two times to save the setting and to close the CN=Server,CN=System,DC=Domain_Name,DC=Domain_Extension Properties dialog box.
Method 3Configure the custom application to open audited objects only as required. For example, configure the custom application to request only the minimum access that is required. If the custom application requires only read access for a specific object, assign only read access. In this case, full control access is not required.
Windows implements this auditing method to maintain compliance with the Common Criteria certification standards and, previously, the C2 certification standards. For additional information about C2 audit requirements, see A Guide to Understanding Audit in Trusted Systems. To see this guide, visit the following Web page:
- Introduction of objects into a user's address space
- Deletion of objects from a user's address space
For additional information about the Common Criteria certification standards, visit the following Microsoft Web site: For additional information about how to audit registry keys, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 841001 - Last Review: Feb 15, 2017 - Revision: 3