Why are our Microsoft Windows 2003 domain controllers generating excessive Event ID 560 events? (NETIQKB43537)

  • 7743537
  • 02-Feb-2007
  • 15-Mar-2013

Environment

NetIQ Group Policy Guardian 1.6

Situation

Why are our Microsoft Windows 2003 domain controllers generating excessive Event ID 560 events?

How can I eliminate the excessive Event ID 560 events generated by our Microsoft Windows 2003 domain controllers?
Symptoms:
Microsoft Windows 2003 domain controllers are generating excessive 560 events.
Group Policy Guardian is reporting events about 'Internet Maintenance Security changes' by user accounts.

Resolution

When a client queries domain controllers for the Group Policy Objects (GPOs) pertaining to the client or the user making the query, 560 audit events are generated for the querried domain controllers that have the write attribute enabled. Because the query is a read operation and no attributes of the GPO are modified by the query, the 560 audit event should not be generated. 

The workaround is to remove Write Attribute from the audited events of the Policies container in Sysvol.  This issue is resolved in GPG 2.0 since GPG 2.0 has removed the requirement for auditing for the WriteAttribute SACL setting.



Additional Information

Formerly known as NETIQKB43537

Feedback service temporarily unavailable. For content questions or problems, please contact Support.