Windows Server - Audit "List folder / read data" False Positives in event viewer!!

Asked By ColinCrai on 17-Aug-07 11:56 AM
I've enabled audit logging for the company I work for and its not working
how I'd like it to. I've enabled 'audit object access' in AD and turned on
file access; however it also is giving several false positives. Here is an
example from my event viwer.

Event Type:	Failure Audit
Event Source:	Security
Event Category:	Object Access
Event ID:	560
Date:		17/08/2007
Time:		9:18:43 AM
User:		DOMAIN\grav
Computer:	BL2WIN3FPS
Object Open:
Object Server:	Security
Object Type:	File
Object Name:	D:\Treasury Data\Common\Parking\TOW LIST.xls
Handle ID:	-
Operation ID:	{0,805667365}
Process ID:	4
Image File Name:
Primary User Name:	BL2WIN3FPS$
Primary Domain:	DOMAIN
Primary Logon ID:	(0x0,0x3E7)
Client User Name:	grvy
Client Domain:	DOMAIN
Client Logon ID:	(0x0,0x2FC3521A)
Accesses:	                DELETE
ReadData (or ListDirectory)

Privileges:	-
Restricted Sid Count:	0
Access Mask:	0x1030089

I have checked serveral files and users can access the files that its
logging in my event viewer.

For more information, see Help and Support Center at

My File print server is 2003 sp2 all updates applied. I only want to audit
unsuccesful file access attempts.

Colin Craig

colincrai replied on 19-Sep-07 05:08 PM
On Aug 17, 10:56 am, Colin Craig

This is ridiculous!! I've been researching this for ever!! I've posted
on every single windows forum I can think of and not one person has
given me a suggestion!! I will take anything you can think of!! please