Dumbass Computer Question of the Week, More Folder Access Auditing Weirdness

So here’s the issue…

We have a Windows 2000 Server file server. For our intents and purposes this will be called Server1. Auditing is enabled in the local computer policy.

On Server1 we have a confidential shared folder named Confidential. We have object access auditing configured on this folder for failed access attempts. The location of the folder is C:\FirstSharedFolder\Confidential

Also on Server1 we another shared folder named Projects. Projects does not have auditing configured. The location of the folder is C:\SecondSharedFolder\Shares\Projects.

Every time one of our staff members tries to access a Word document in C:\SecondSharedFolder\Shares\Projects, an object access failure event is logged for C:\FirstSharedFolder\Confidential.

I can’t figure this out…this is extremely strange. So far this issue is only effecting one user and one location. I haven’t been able to recreate it with other users. As far as I can tell nothing in the Word doc in question is linked to the Confidential folder at all…

As always…help is very much appreciated. You guys rule.

No one’s seen this before? heh

I assume this user’s permissions and groups have been checked?

swarz… i’ve dealt with this before, but not in the same type of situation… i wrote a vb script to acutally monitor network shares… maybe that could besomething you’d be interested in?

point aside, have you moved the user’s ou (any policy tied to the account) and ‘started from scratch’… can you make it happen with the same user on different machiens? it sounds like a persistant connection issue, assuming that user, at some point, was mapped to that share…?

sucks man… when in doubt, move hte users account, remove the local policy, run a gpupdate and reapply the policies to see if it’s still an issue…

F managers that want you to audit network shares!

Hey now :nono:

you never asked me to! we just locked them down to the point of not being able to save

ya got that right

Is that user able to access the word doc or are they getting denied?

This shit is killing me, LOL

I think I fixed yesterdays problem (got a new one today). Even though no folder level auditing was configured server wide, I specifically configured no auditing on all of the non-audited files and folders. This made our false alarm events go away.

Now I have a new issue: For each single access failure, I’m getting 50+ failure events written to the security log (and subsequently, 50+ email alerts sent). The number of events written is not consistent; I had several users test this just now; when trying to access the folder in the exact same manner one of the users generated 49 events, one generated 54 events, and the last one generated 117 events…argh.

i wrote a vb script to acutally monitor network shares… maybe that could besomething you’d be interested in?

I so need to learn VBScript.

Appreciate all of you guy’s feedback as usual…thanks.

Got a case opened with M$ for this one.

do you have premier support? (assigned a TAM?) if so… let me know… she’s a nice lady.

We never talk to the MS people…we tell Synergy IT what’s going on, ask them to open a case with MS, and they deal with them. While I’ve never talked to MS support, I’ve that it’s generally not a fun experience…so I’m fine with our setup.

I don’t expect to hear anything until Monday, to be honest.

Something is definitely out of whack with the file permissions…

Let us know what they come up with!

I’ve gotten a mix of locations from MS support calls but I don’t have a problem working with non-Americans or understanding them for that matter. (I laugh on the inside when other dudes get pissed/racist on the phone). Once you get 3 levels deep, those dudes are MS ballers and they don’t get off the phone until shit is fixed. For 500 bones ur prob better off polishing up on ur Technet search skillz. Their kb article search keeps getting better and from personal experience have been able to resolve some pretty big issues w/o contacting Microshaft.

Nothing out there that gave any info about this one…no one has even reported the same problem…

Wouldn’t want to escalate if I didn’t have to.

Been escalated twice with MS now. Now being handled by a “Team Manager” with “Microsoft Enterprise Platform Support”. No one can figure out WTF is going on here.

sucks… whats the problem again? when people are accessing the share they are getting a success event and random failed events???

i would try to narrow down the users to OS levels and AD OU’s… to try to see if anything similar is being effected… if some dude is sitting on an old box he might be using ipc$ to connect or something dumb in the backround that is causing more events than the others? (example of a random situation)
i dunno… just a thought… you can use VB to cut through the BS events to narrow down on the ones you are intersted in… are you using MOM for reporting, it does the same but has a decent gui?

Appreciate the feedback, seriously…but yeah, I’ve already gone over all of that kind of stuff. Here’s the basic scenario again (lifted from my Experts-Exchange post…no one there can figure this out either):

Background:
I’m conducting object access auditing on several shared folders on one of our file servers. The file server is a Windows Server 2000 box with Service Pack 4.

I configured the local machine policy to audit “Success, Failure” for the Audit Object Access policy. I then configured auditing at the folder level for three shared folders. These folders are member folders in our DFS. At the folder level, I configured auditing for the “Domain Users” group, and specified “List Folder/Read Data” to be audited for Failed access attempts only. (I know that the best practice is to audit the “Everyone” group, but this was causing false hits due to System access failures due to to indexing, persistent connections, ect- we only need to audit the domain users group for our purposes anyway).

The problem:
At random intervals, a failed object access attempt will spawn a totally random number of events written to the security log, instead of one. I tested this extensively with a test domain user account without permissions to the folders- while attempting to access the SAME folder in the SAME manner, sometimes the failed access attempt would write one entry to the security log, sometimes it would write a random number. One failed attempt created 107 entries in the security log. Several times 50+ events were written (all for one failed object access attempt). All events are the correct Event ID 560.

I cannot find any logic to this. I have a case opened with Microsoft, but haven’t gotten any results from them.

i would try to narrow down the users to OS levels and AD OU’s… to try to see if anything similar is being effected… if some dude is sitting on an old box he might be using ipc$ to connect or something dumb in the backround that is causing more events than the others? (example of a random situation)

A perfectly logical answer…but not the case here. My test user accounts, from my workstation, from other workstations, and from a test server, all behave the same way- sometimes they generate one Event 560 (as they should), other times they generate 40, 50, or more.

i dunno… just a thought… you can use VB to cut through the BS events to narrow down on the ones you are intersted in… are you using MOM for reporting, it does the same but has a decent gui?

We’re using Open View for reporting and alerts.

Thanks again. I’ll update this post whenever MS gives me a solution. At this point they still haven’t come up with anything.

Silly question time:

Are both the DC and client machine fully patched and up to date (as up-to-date that 2ksp4 can be)?

Have you tried taking the folders out of the DFS and then trying to access them from the troublesome client machine?

Are there any other security event ID’s listed in the event viewer? Looking for like 681 or something. Also, anything in the event logs of the client machine?

Are you using a network time server to sync all the client machines?

Are there any advanced security permissions on the folder?

Are both the DC and client machine fully patched and up to date (as up-to-date that 2ksp4 can be)?

Yes

Have you tried taking the folders out of the DFS and then trying to access them from the troublesome client machine?

No…not an option at this time, unfortunatley. I wanted to do this.

Furthermore, there isn’t one troublesome client machine- EVERY client machine is troublesome here.

Are there any other security event ID’s listed in the event viewer? Looking for like 681 or something. Also, anything in the event logs of the client machine?

No.

Are you using a network time server to sync all the client machines?

Yes.

Are there any advanced security permissions on the folder?

No- unless you count the audit settings.

Thanks…

Anyone who figures this out is a god…so far it’s got Experts-Exchange, all of our staff here, our SynergyIT consultants, and MS themselves all stumped!