Security log filling up with 4662 events in... Expand / Collapse
Author
Message
Posted 10/7/2009 4:32:26 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/20/2009 9:15:56 AM
Posts: 6, Visits: 2
I've got a Windows 2008 server which is my domain controller (a second DC is running Windows 2003, so functionally, the domain is at 2003 level).

I get a bunch of 4662 - an object has been accessed.  And I mean a lot of them when I say a bunch.  I've tried everything - not auditing objects, resetting the SACL to ensure read only is not set, I've checked the local policy and registry setting in case they were somehow over riding the domain group policy and I've not been able to find anything that is causing this event to be logged.

I'm really at my wits end here.

Post #225
Posted 10/9/2009 7:59:33 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
OK, should be simple to diagnose.  I'm going to assume first that you do not have specific Active Directory auditing you want to perform.  I'll re-visit that assumption later.

Are you getting gobs of 566 events on your Windows Server 2003 domain controller? (566 is the equivalent event to 4662 in 2003)

  • Yes: You need to disable "Audit directory service access" on your domain controllers.  That is normally enabled in the Default Domain Controllers Policy GPO.  To find out for sure where a setting is coming from use the Group Policy Management Console's Results Wizard.
  • No: That indicates that the audit policy setting is specific to the 2008 domain controllers.  Check the following settings in the local policy object on that DC by running MMC and then loading the group policy editor (gpedit.msc).  The settings to check are:\

Are there specific objects and changes in Active Directory that you want to audit?  If so, you will need to clear out the SACL of each object in AD and delete the default SACL for each object class in AD schema before you begin.

That is easier said than done.  In fact I'm currently developing a utility to do just that.  Stay tuned.

Post #229
Posted 10/17/2009 11:44:12 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/20/2009 9:15:56 AM
Posts: 6, Visits: 2
Thank you for your reply.

Sorry, but my 2003 DC is no longer around, so I cannot check for any events on it.  I now have two (2) 2008 DC's still running in 2003 functional level.  And still getting these messages.

I ran auditpol /get /category:*

Everything is set for no auditing or failure except for this:

DS Access
  Directory Service Changes No Auditing
  Directory Service Replication No Auditing
  Detailed Directory Service Replication No Auditing
  Directory Service Access Success

Running group modeling wizard on one of the DCs, gets me this for the Audit Policy:

Audit account logon events Failure
Audit account management Failure
Audit directory service access No auditing
Audit logon events Failure
Audit object access No auditing
Audit policy change Failure
Audit privilege use Failure
Audit process tracking No auditing
Audit system events Failure

All coming from the Default Domain Controllers Policy (Winning GPO)

Looking at the events on DC2, I see that the Security ID: is my domain/DC1$ and the account name is: DC1$

But I am unable to put in DC1$ as a user in the Group Policy Modeling Wizard - my thinking was that maybe somehow there is a user policy associated with this apparent system account.

Post #240
Posted 10/18/2009 12:07:34 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/20/2009 9:15:56 AM
Posts: 6, Visits: 2
Looking closer at these events, I notice they are referencing object type: domainDNS

So, I went into both DNS servers and changed event logging to No events, but I am still getting these 4662's in the Security event log.

Darn - thought I may have found something there!

Post #241
Posted 10/19/2009 10:38:16 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
What is the status of Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings?
Post #242
Posted 10/19/2009 4:37:13 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/20/2009 9:15:56 AM
Posts: 6, Visits: 2

For both the default domain policy and the default comain controllers policy it is: Not Defined.

Post #243
Posted 10/19/2009 4:47:28 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/20/2009 9:15:56 AM
Posts: 6, Visits: 2
For grins I checked the Local Security Policy setting of each DC as well and they are both Not Defined for the Force Audit policy subcategory setting.
Post #244
Posted 10/19/2009 6:05:55 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Well 4662 comes from the  "Directory Service Access" subcategory which is enabled according to auditpol.  Disable that with auditpol and it should go away.

also for grins, check local policies\audit policy\audit directory service access in Local Security Policy on your DCs

Post #245
Posted 10/20/2009 9:21:19 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/20/2009 9:15:56 AM
Posts: 6, Visits: 2
RandyFranklinSmith (10/19/2009)
Well 4662 comes from the  "Directory Service Access" subcategory which is enabled according to auditpol.  Disable that with auditpol and it should go away.

also for grins, check local policies\audit policy\audit directory service access in Local Security Policy on your DCs

Local policies are set at no auditing.

 

It was this auditpol thing that I need to learn more about.  You were right on target!

For anyone else who is interested, following instructions on this page:

http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Auditpol

I did a:
auditpol /get /category:*
which showed Directory Service Access set for auditing successful events

Then I did a:
auditpol /SET /SUBCATEGORY:"Directory Service Access" /SUCESSISABLE

Did another auditpol /get /category:* to ensure the vaule was changed because I'm just like that.

This generated an Audit Success 4719 Event "Audit Policy Change" in the Security event log.

I did this on both of my Domain Controllers, though I'm not sure if that was necessary or not.

Thank you for all of your help, Randy!  I really appreciate it!

Post #246
Posted 3/10/2010 5:34:54 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Glad that helped.  FYI, yes you do need to run auditpol on each DC.  Win2008 R2 introduces new settings in group policy for managing audit categories
Post #328
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 2:29am