Environment
NetIQ Group Policy Guardian 1.6
Situation
Why are our Microsoft Windows 2003 domain controllers generating excessive Event ID 560 events?
How can I eliminate the excessive Event ID 560 events generated by our Microsoft Windows 2003 domain controllers?
How can I eliminate the excessive Event ID 560 events generated by our Microsoft Windows 2003 domain controllers?
Symptoms:
Microsoft Windows 2003 domain controllers are generating excessive 560 events.
Group Policy Guardian is reporting events about 'Internet Maintenance Security changes' by user accounts.
Group Policy Guardian is reporting events about 'Internet Maintenance Security changes' by user accounts.
Resolution
When a client queries domain controllers for the Group Policy Objects (GPOs) pertaining to the client or the user making the query, 560 audit events are generated for the querried domain controllers that have the write attribute enabled. Because the query is a read operation and no attributes of the GPO are modified by the query, the 560 audit event should not be generated.
The workaround is to remove Write Attribute from the audited events of the Policies container in Sysvol. This issue is resolved in GPG 2.0 since GPG 2.0 has removed the requirement for auditing for the WriteAttribute SACL setting.
Additional Information
Formerly known as NETIQKB43537