Windows Server - Audit "List folder / read data" False Positives in event viewer!!

Asked By ColinCrai on 17-Aug-07 11:56 AM
I've enabled audit logging for the company I work for and its not working
how I'd like it to. I've enabled 'audit object access' in AD and turned on
file access; however it also is giving several false positives. Here is an
example from my event viwer.


Event Type:	Failure Audit
Event Source:	Security
Event Category:	Object Access
Event ID:	560
Date:		17/08/2007
Time:		9:18:43 AM
User:		DOMAIN\grav
Computer:	BL2WIN3FPS
Description:
Object Open:
Object Server:	Security
Object Type:	File
Object Name:	D:\Treasury Data\Common\Parking\TOW LIST.xls
Handle ID:	-
Operation ID:	{0,805667365}
Process ID:	4
Image File Name:
Primary User Name:	BL2WIN3FPS$
Primary Domain:	DOMAIN
Primary Logon ID:	(0x0,0x3E7)
Client User Name:	grvy
Client Domain:	DOMAIN
Client Logon ID:	(0x0,0x2FC3521A)
Accesses:	                DELETE
READ_CONTROL
ACCESS_SYS_SEC
ReadData (or ListDirectory)
ReadEA
ReadAttributes

Privileges:	-
Restricted Sid Count:	0
Access Mask:	0x1030089

I have checked serveral files and users can access the files that its
logging in my event viewer.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

My File print server is 2003 sp2 all updates applied. I only want to audit
unsuccesful file access attempts.

--
Colin Craig
MCSE, MCSA, A+




colincrai replied on 19-Sep-07 05:08 PM
On Aug 17, 10:56 am, Colin Craig

This is ridiculous!! I've been researching this for ever!! I've posted
on every single windows forum I can think of and not one person has
given me a suggestion!! I will take anything you can think of!! please
help!!