I am implementing a new Event Log monitor. I have noticed an event that is triggered when someone logs into their PC and they have a mapped drive toa file share. The scenario is the following: Map Drive X: is mapped to FileShareMain. Under FileShareMain is 40 or 50 folders. User only has access to about 1/2 of the folders. When the user logs in a slew of Event 560 entries generate in the Security Event Log on the sub-folders the user does NOT have access to. My question is when a user accesses the main (Parent) file share, does the authenticaion process subsequently check the credentials against each sub-directory automatically, even though the user does not explicitly try to access them? I get about 20 + entries for each sub-folder. Any input would be greatly appreciated. I don't want to filter these out because one of our goals is to see is users are trying to access system resources they shouldn't be. Thanks!

Hi, I performed a test in my lab but I could not reproduce the issue. The audit events for the subfolders are only generated when I attempt the access the subfolders. I perform the test on a Windows XP machine, which is joined a Windows 2003 domain. May I know how you configure the audit policy so that I can perform further research? Is there any other logon script or application attempting to access and enumerate the network shares? Please check the logon scripts and disable additional startup and logon applications via clean boot to test the issue again. In addition, the following KB article includes some conditions that may cause unexpected audit events: Event IDs 560 and 562 appear many times in the security event log http://support.microsoft.com/kb/841001 Hope the information is helpful.