A while ago I enabled auditing on my WS2008 Servers and started noticing the following event repeating in the Securtiy log. Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: 12/14/2008 7:10:02 PMEvent ID: 4674Task Category: Sensitive Privilege UseLevel: InformationKeywords: Audit FailureUser: N/AComputer: <Computer FQDN Here>Description:An operation was attempted on a privileged object. Subject:Security ID:LOCAL SERVICEAccount Name:LOCAL SERVICEAccount Domain:NT AUTHORITYLogon ID:0x3e5 Object:Object Server:SecurityObject Type:-Object Name:-Object Handle:0x0 Process Information:Process ID:0x294Process Name:C:\Windows\System32\lsass.exe Requested Operation:Desired Access:16777216Privileges:SeSecurityPrivilegeI found no public description of what it means and what I am supposed to do. It seemed to me that something cannot execute because'LOCAL SERVICE' needs 'SeSecurityPrivilege' (aka 'Manage auditing and security log') right. Okay, I granted this right (double checked with RSoP and Local Policy Editor) but nothing changed. I even tried to grant this rigth to 'System' account also (by default only 'Administrators' have it). But this didn't help either. So my question is: what should I do to get rid of these events (other then disabling auditing)? Thanks in advance.P.S. A few links Itried but that didn'tadd to my understanding. Events and Errors Message Center Search nothing at all. EventID Search nothnig at all. Randy Franklin Smith's UltimateWindowsSecurity.comWiki article on SeSecurityPrivilege interesting, but nothing particularly helpful for this special case. Randy Franklin Smith's UltimateWindowsSecurity.comWiki article onEvent 4674 nearly meaningless. And that's all at least slightly relevant information I could find.

Bump!Sorry, but the proposed answer is not an answer at all!

My initial answer on the matter seems to correct after all, in the strict sense of the word. My background information was completely wrong. I've been meaning to correct this since I've seen the reply by MVP Pronichkin . The event is described as Privileged use, subcategory Sensitive privileges exercised by User rights/Privileges (interchangeable/synonymous) OR An operation was attempted on a privileged object. But the type is typically set to display a succesful audit. Nevertheless, by the actions you've taken you've eliminated all other, except for the fact that ms admits overloading these privileges so that each privilege can access (or even govern, according to some sources) the authority to perform many different operations. The priveliges required for exercising an operation are just not there or the information is partial and cannot be trusted. So the fact that a privelidge was accessed is meaningless. Microsoft is aware of the problem and the fact that is a high level event. "Still you can't act upon it since they do not describe the event." It's considered 'noise'. The corresponding event in windows 2003 is 578 and just as vague: Privileges were used on an already open handle to a protected object. These two event descriptions support the consideration of 'noise', evnt 578 even confirms it. Multiple instances of the privileges being used at the same time. I've seen event 578 in combination with either 560 and 565 many times; meaning Access was granted to an already existing object and Access was granted to an already existing object type. Now that I've typed it all I see it's probably just overrated network traffic. Server 2008 has much better logging capabilities, wouldn't surprise me a little patch would solve this issue. I hope this answers your question. Shems.Information is the most valuable commodity I know off.

>BUMP< I'm not satisfied with my response. It still bothers me there's little explanation. Maybe some-one can explain.Creativity cannot be taught, but it can be learned.

So... After a year of complete silence... Anybody!?

http://technet.microsoft.com/en-us/library/dd772724(WS.10).aspxSo versatile and convenient !Information is provided "AS IS" without any guaranty nor liability and, in no lesser extent, with devotion and care.

<BUMP> it's worth it.Information is provided "AS IS" without any guaranty nor liability and, in no lesser extent, with devotion and care.

any news on this one? we can reproduce this event with gpupdate /force

Run this: auditpol /set /subcategory:"Handle Manipulation" /failure:disable then, Run Away... :)