Environment
Situation
How can I eliminate the excessive Event ID 560 events generated by our Microsoft Windows 2003 domain controllers?
Group Policy Guardian is reporting events about 'Internet Maintenance Security changes' by user accounts.
Resolution
When a client queries domain controllers for the Group Policy Objects (GPOs) pertaining to the client or the user making the query, 560 audit events are generated for the querried domain controllers that have the write attribute enabled. Because the query is a read operation and no attributes of the GPO are modified by the query, the 560 audit event should not be generated.
The workaround is to remove Write Attribute from the audited events of the Policies container in Sysvol. This issue is resolved in GPG 2.0 since GPG 2.0 has removed the requirement for auditing for the WriteAttribute SACL setting.