Hi, My security logs on 2008 R2 DCs are full of the following failure audits: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 7/1/2011 8:51:00 AM Event ID: 4662 Task Category: Directory Service Access Level: Information Keywords: Audit Failure User: N/A Computer: dc1.microsoft.msft Description: An operation was performed on an object. Subject : Security ID: DOMAIN\USERCOMPUTER$ Account Name: USERCOMPUTER$ Account Domain: DOMAIN Logon ID: 0x3d71bc79 Object: Object Server: DS Object Type: computer Object Name: CN=USERCOMPUTER,OU=xxx,OU=xxx,OU=xxx,DC=microsoft,DC=msft Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Control Access Access Mask: 0x100 Properties: --- {771727b1-31b8-4cdf-ae62-4fe39fadf89e} {aa4e1a6d-550d-4e05-8c35-4afcb917a9fe} {bf967a86-0de6-11d0-a285-00aa003049e2} Additional Information: Parameter 1: - Parameter 2: I want to get rid my logs from a huge amount of such events. It seems that all of our machines cause such an events. How to troubleshoot such an events? Thanks.

This auditing is new to 2008. You have a good amount of control over what gets logged. Have a look at this TechNet article for some details and options: http://technet.microsoft.com/en-us/library/cc731764(WS.10).aspx Otherwise, you may want to consider creating a custom view in the Event Log. That way, you can maintain as much information as possible in your logs but only see what you want to based on the given situation. You can create a custom view that only displays Critical or Error events. Brian

I don't understand your answer. Why do I need to create custom views. I can view these events and without any custom views. I see that these events are generated almost from all of my clients. Events are identical with id 4662. I only want to find out what exactly operation from the clients does cause such events as I want to eliminate them. What exactly client wants to do in AD?

From the link I sent, the first couple of sentences sum it up: "The global audit policy Audit directory service access controls whether auditing for directory service events is enabled or disabled. This security setting determines whether events are logged in the Security log when certain operations are carried out on objects in the directory. You can control what operations to audit by modifying the system access control list (SACL) on an object.". You should review your auditing settings and make adjustments to suit the organization's requirements. In your case, you want to get rid of the logs because they represent a huge amount of events. You have two options - use a custom view (so that you are not seeing them to begin with) or modify your audit settings so that less information is being logged. I typically recommend to maintain as much logging as possible and use custom views to get rid of the "noise". In the case of a serious event (such as a security incident), it is nice to have as much logging as possible. But, you can certainly turn down the auditing instead. Hope this clears it up. Brian

Brian, I think that you didn't understand me. I do not want to remove these log entries from appearing in the logs on DC. I know how to do that very well. My problem is that as I said before - these huge ammount of entries are identical and generated from all of my clients. So I wanted to ask for a help how tu troubleshoot such an entry I posted earlier. I wanted to find a cause of this entry appearance in logs on dc (access rights, something else). I'll repeat - I do not want to disable such failure audits via gpo.

Sorry about the confusion. Sometimes it can be tough trying to understand each other via forum posts! I haven't run into many failure audits for 4662, unfortunately. These are commonly seen as success audits even when there appears to be no activity. For example, in one of my environments, I have a number of 4662 success audits in the middle of the night for a virtual machine that hasn't been used in days (although it is powered on and functioning). I attempted to reproduce some 4662 failure audits by taking a few actions but wasn't able to generate any. In another environment that I checked, I have over 35,000 success audits on 4662 and not a single failure audit. So I can't come up with much to help in troubleshooting these events. Hopefully somebody else has a bit of insight. Brian