Security Event Log Entry

TheMSsForum.com: The Microsoft Software Forum

We have NT4 SP6. I have been getting the Event ID: 560
entry in the Security Event Log with the following info:

Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: DOMAINS\Account\Users\000003FD
New Handle ID: 1318680
Operation ID: {0,4304703}
Process ID: 2162013760
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Client User Name:
Client Domain:
Client Logon ID: (0x0,0x4411)
Accesses READ_CONTROL
ReadGeneralInformation
ReadLogon
ReadAccount
ListGroups

Privileges -

I haven't found any info as to what this means. Usually I
get usernames from my domain and my domain name but this
info does not make sense. The user field in the log reads
ANONYMOUS even though the client user name is blank in the
info above. Does anyone have any idea as to what this
entry means? Thanks in advance.
Top

Re: Security Event Log Entry by Eric

Eric
Fri Sep 12 17:54:25 CDT 2003

It means someone enumerated the SAM. Nothing to worry about.

--
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

The above message is provided "AS-IS" with no warranties, and confers no
rights.

"D Pizana" <dpizana2000@hotmail.com> wrote in message
news:054b01c362bd$c0512430$a401280a@phx.gbl...
> We have NT4 SP6. I have been getting the Event ID: 560
> entry in the Security Event Log with the following info:
>
> Object Server: Security Account Manager
> Object Type: SAM_USER
> Object Name: DOMAINS\Account\Users\000003FD
> New Handle ID: 1318680
> Operation ID: {0,4304703}
> Process ID: 2162013760
> Primary User Name: SYSTEM
> Primary Domain: NT AUTHORITY
> Primary Logon ID: (0x0,0x3E7)
> Client User Name:
> Client Domain:
> Client Logon ID: (0x0,0x4411)
> Accesses READ_CONTROL
> ReadGeneralInformation
> ReadLogon
> ReadAccount
> ListGroups
>
> Privileges -
>
> I haven't found any info as to what this means. Usually I
> get usernames from my domain and my domain name but this
> info does not make sense. The user field in the log reads
> ANONYMOUS even though the client user name is blank in the
> info above. Does anyone have any idea as to what this
> entry means? Thanks in advance.
>


Top