Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] auditting weirdness on clean W2K8R2 AD
Prev Next
You are not authorized to post a reply.

AuthorMessages
davypUser is Offline

Posts:38

09/21/2009 7:31 PM  
Hi all,

For debugging purposes I work with ADs that do a lot of audittng on Access
denieds.

Even in my superclean reference environment, I keep getting access denieds
from the Domain Controller himself on his own computer object, even to read!



Does anyone know why this could be happening or provide me with an insight
on how I should interpret the GUIDS?



Best regards,

DavyP



Detailed info:

I use a freshly installed W2K8R2 AD for reference.

I enabled audit policy for DS access and account management on failure to
make sure I see any issues with my delegation model.

On top of that I am auditing full control failures for everyone on the
Domain NC and configuration NC.



Now I keep getting the following audit failures in my event log (event id
4662, Directory Service Access) in sets of 3 as shown below.

REFERENCE is the domain name and WIN-7D627LMVSTN is the hostname of the one
and only Domain Controller.



I looked up the GUIDS and added the explanations

I am pretty new to W2K8, but to me it looks like the computer account of the
DC is trying to connect to his own computer object over the network,



Event 1

An operation was performed on an object.



Subject :

Security ID: NETWORK SERVICE

Account Name: WIN-7D627LMVSTN$

Account Domain: REFERENCE

Logon ID: 0x3e4



Object:

Object Server: DS

Object Type: computer

Object Name:
CN=WIN-7D627LMVSTN,OU=Domain Controllers,DC=reference,DC=nl

Handle ID: 0x0



Operation:

Operation Type: Object Access

Accesses: Read Property



Access Mask: 0x10

Properties: ---

{59ba2f42-79a2-11d0-9020-00c04fc2d3cf}
rightsGuid: General-Information


{3e0abfd0-126a-11d0-a060-00aa006c33ed} schemaIDGUID:
SAM-Account-Name

{bf967a86-0de6-11d0-a285-00aa003049e2}
schemaIDGUID: Computer





Additional Information:

Parameter 1: -

Parameter 2:



Event 2



An operation was performed on an object.



Subject :

Security ID: NETWORK SERVICE

Account Name: WIN-7D627LMVSTN$

Account Domain: REFERENCE

Logon ID: 0x3e4



Object:

Object Server: DS

Object Type: computer

Object Name:
CN=WIN-7D627LMVSTN,OU=Domain Controllers,DC=reference,DC=nl

Handle ID: 0x0



Operation:

Operation Type: Object Access

Accesses: Write Property



Access Mask: 0x20

Properties: ---

{e48d0154-bcf8-11d1-8702-00c04fb96050}
rightsGuid: Public-Information


{f3a64788-5306-11d1-a9c5-0000f80367c1} rightsGuid: Validated-SPN

{bf967a86-0de6-11d0-a285-00aa003049e2}
schemaIDGUID: Computer





Additional Information:

Parameter 1: -

Parameter 2:



Event 3



An operation was performed on an object.



Subject :

Security ID: NETWORK SERVICE

Account Name: WIN-7D627LMVSTN$

Account Domain: REFERENCE

Logon ID: 0x3e4



Object:

Object Server: DS

Object Type: computer

Object Name:
CN=WIN-7D627LMVSTN,OU=Domain Controllers,DC=reference,DC=nl

Handle ID: 0x0



Operation:

Operation Type: Object Access

Accesses: Write Self



Access Mask: 0x8

Properties: ---

{e48d0154-bcf8-11d1-8702-00c04fb96050}
rightsGuid: Public-Information


{f3a64788-5306-11d1-a9c5-0000f80367c1} rightsGuid: Validated-SPN

{bf967a86-0de6-11d0-a285-00aa003049e2}
schemaIDGUID: Computer





Additional Information:

Parameter 1: -

Parameter 2:






davypUser is Offline

Posts:38

09/28/2009 4:30 PM  
Nobody has any ideas?

DavyP



From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Davy Pierson
Sent: maandag 21 september 2009 12:29
To: activedir@mail.activedir.org
Subject: [ActiveDir] auditting weirdness on clean W2K8R2 AD



Hi all,

For debugging purposes I work with ADs that do a lot of audittng on Access
denieds.

Even in my superclean reference environment, I keep getting access denieds
from the Domain Controller himself on his own computer object, even to read!



Does anyone know why this could be happening or provide me with an insight
on how I should interpret the GUIDS?



Best regards,

DavyP



Detailed info:

I use a freshly installed W2K8R2 AD for reference.

I enabled audit policy for DS access and account management on failure to
make sure I see any issues with my delegation model.

On top of that I am auditing full control failures for everyone on the
Domain NC and configuration NC.



Now I keep getting the following audit failures in my event log (event id
4662, Directory Service Access) in sets of 3 as shown below.

REFERENCE is the domain name and WIN-7D627LMVSTN is the hostname of the one
and only Domain Controller.



I looked up the GUIDS and added the explanations

I am pretty new to W2K8, but to me it looks like the computer account of the
DC is trying to connect to his own computer object over the network,



Event 1

An operation was performed on an object.



Subject :

Security ID: NETWORK SERVICE

Account Name: WIN-7D627LMVSTN$

Account Domain: REFERENCE

Logon ID: 0x3e4



Object:

Object Server: DS

Object Type: computer

Object Name:
CN=WIN-7D627LMVSTN,OU=Domain Controllers,DC=reference,DC=nl

Handle ID: 0x0



Operation:

Operation Type: Object Access

Accesses: Read Property



Access Mask: 0x10

Properties: ---

{59ba2f42-79a2-11d0-9020-00c04fc2d3cf}
rightsGuid: General-Information


{3e0abfd0-126a-11d0-a060-00aa006c33ed} schemaIDGUID:
SAM-Account-Name

{bf967a86-0de6-11d0-a285-00aa003049e2}
schemaIDGUID: Computer





Additional Information:

Parameter 1: -

Parameter 2:



Event 2



An operation was performed on an object.



Subject :

Security ID: NETWORK SERVICE

Account Name: WIN-7D627LMVSTN$

Account Domain: REFERENCE

Logon ID: 0x3e4



Object:

Object Server: DS

Object Type: computer

Object Name:
CN=WIN-7D627LMVSTN,OU=Domain Controllers,DC=reference,DC=nl

Handle ID: 0x0



Operation:

Operation Type: Object Access

Accesses: Write Property



Access Mask: 0x20

Properties: ---

{e48d0154-bcf8-11d1-8702-00c04fb96050}
rightsGuid: Public-Information


{f3a64788-5306-11d1-a9c5-0000f80367c1} rightsGuid: Validated-SPN

{bf967a86-0de6-11d0-a285-00aa003049e2}
schemaIDGUID: Computer





Additional Information:

Parameter 1: -

Parameter 2:



Event 3



An operation was performed on an object.



Subject :

Security ID: NETWORK SERVICE

Account Name: WIN-7D627LMVSTN$

Account Domain: REFERENCE

Logon ID: 0x3e4



Object:

Object Server: DS

Object Type: computer

Object Name:
CN=WIN-7D627LMVSTN,OU=Domain Controllers,DC=reference,DC=nl

Handle ID: 0x0



Operation:

Operation Type: Object Access

Accesses: Write Self



Access Mask: 0x8

Properties: ---

{e48d0154-bcf8-11d1-8702-00c04fb96050}
rightsGuid: Public-Information


{f3a64788-5306-11d1-a9c5-0000f80367c1} rightsGuid: Validated-SPN

{bf967a86-0de6-11d0-a285-00aa003049e2}
schemaIDGUID: Computer





Additional Information:

Parameter 1: -

Parameter 2:






dgavrilovUser is Offline

Posts:59

09/28/2009 4:44 PM  
No, it's some service running on the DC, under NetworkService account. It is not going out to network to connect, so it is connecting directly as "NetworkService", not as computer account.
NetworkService does not have sufficient permissions granted on the DC account to do whatever it needs to do.

You might be able to correlate the LogonID value to a specific process running on the box. Sorry, I am not sure how to do this.

Dmitri

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Davy Pierson
Sent: Monday, September 28, 2009 8:29 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] auditting weirdness on clean W2K8R2 AD

Nobody has any ideas?
DavyP

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Davy Pierson
Sent: maandag 21 september 2009 12:29
To: activedir@mail.activedir.org
Subject: [ActiveDir] auditting weirdness on clean W2K8R2 AD

Hi all,
For debugging purposes I work with ADs that do a lot of audittng on Access denieds.
Even in my superclean reference environment, I keep getting access denieds from the Domain Controller himself on his own computer object, even to read!

Does anyone know why this could be happening or provide me with an insight on how I should interpret the GUIDS?

Best regards,
DavyP

Detailed info:
I use a freshly installed W2K8R2 AD for reference.
I enabled audit policy for DS access and account management on failure to make sure I see any issues with my delegation model.
On top of that I am auditing full control failures for everyone on the Domain NC and configuration NC.

Now I keep getting the following audit failures in my event log (event id 4662, Directory Service Access) in sets of 3 as shown below.
REFERENCE is the domain name and WIN-7D627LMVSTN is the hostname of the one and only Domain Controller.

I looked up the GUIDS and added the explanations
I am pretty new to W2K8, but to me it looks like the computer account of the DC is trying to connect to his own computer object over the network,

Event 1
An operation was performed on an object.

Subject :
Security ID: NETWORK SERVICE
Account Name: WIN-7D627LMVSTN$
Account Domain: REFERENCE
Logon ID: 0x3e4

Object:
Object Server: DS
Object Type: computer
Object Name: CN=WIN-7D627LMVSTN,OU=Domain Controllers,DC=reference,DC=nl
Handle ID: 0x0

Operation:
Operation Type: Object Access
Accesses: Read Property

Access Mask: 0x10
Properties: ---
{59ba2f42-79a2-11d0-9020-00c04fc2d3cf} rightsGuid: General-Information
{3e0abfd0-126a-11d0-a060-00aa006c33ed} schemaIDGUID: SAM-Account-Name
{bf967a86-0de6-11d0-a285-00aa003049e2} schemaIDGUID: Computer


Additional Information:
Parameter 1: -
Parameter 2:

Event 2

An operation was performed on an object.

Subject :
Security ID: NETWORK SERVICE
Account Name: WIN-7D627LMVSTN$
Account Domain: REFERENCE
Logon ID: 0x3e4

Object:
Object Server: DS
Object Type: computer
Object Name: CN=WIN-7D627LMVSTN,OU=Domain Controllers,DC=reference,DC=nl
Handle ID: 0x0

Operation:
Operation Type: Object Access
Accesses: Write Property

Access Mask: 0x20
Properties: ---
{e48d0154-bcf8-11d1-8702-00c04fb96050} rightsGuid: Public-Information
{f3a64788-5306-11d1-a9c5-0000f80367c1} rightsGuid: Validated-SPN
{bf967a86-0de6-11d0-a285-00aa003049e2} schemaIDGUID: Computer


Additional Information:
Parameter 1: -
Parameter 2:

Event 3

An operation was performed on an object.

Subject :
Security ID: NETWORK SERVICE
Account Name: WIN-7D627LMVSTN$
Account Domain: REFERENCE
Logon ID: 0x3e4

Object:
Object Server: DS
Object Type: computer
Object Name: CN=WIN-7D627LMVSTN,OU=Domain Controllers,DC=reference,DC=nl
Handle ID: 0x0

Operation:
Operation Type: Object Access
Accesses: Write Self

Access Mask: 0x8
Properties: ---
{e48d0154-bcf8-11d1-8702-00c04fb96050} rightsGuid: Public-Information
{f3a64788-5306-11d1-a9c5-0000f80367c1} rightsGuid: Validated-SPN
{bf967a86-0de6-11d0-a285-00aa003049e2} schemaIDGUID: Computer


Additional Information:
Parameter 1: -
Parameter 2:



You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] auditting weirdness on clean W2K8R2 AD



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:MrPTSai
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5234
People OnlinePeople Online:
VisitorsVisitors:34
MembersMembers:0
TotalTotal:34
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use