Failure Audit log

We have started seeing a lot of failure audits on our sql server after we
gave a couple of domain users access to the SQL DB. The users have
permissions to read/write to certain tables in some databases. Any idea what
is causing this?
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 5/5/2005
Time: 1:08:00 PM
User: <<DOMAIN\KNOWN_USER_NAME>>
Computer: <<SERVER_NAME>>
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,<<000000000>>}
Process ID: 844
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: <<SERVER_NAME>>$
Primary Domain: SAGO
Primary Logon ID: (0x0,0x<<000>> )
Client User Name: <<KNOWN_USER_NAME>>
Client Domain: SAGO
Client Logon ID: (0x0,0x<<00000000>> )
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.Based on my experience, this error usually occurs when a user
(DOMAIN\KNOWN_USER_NAME) makes a connection via a MMC and they do not have
the permissions to perform this action.
Can you identify what actions were performing at that time this error was
logged? In addition, is there any business impact casued by this error? Do
the domain users have any difficulty doing their job?
Sincerely,
William Wang
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
This posting is provided "AS IS" with no warranties, and confers no rights.
--
>Thread-Topic: Failure Audit log
>thread-index: AcVWbUHfZOaL7esET9Wrkqq2v6XWfA==
>X-WBNR-Posting-Host: 128.194.92.153
>From: "examnotes" <stech@.nospam.nospam>
>Subject: Failure Audit log
>Date: Wed, 11 May 2005 14:06:10 -0700
>Lines: 44
>Message-ID: <DA088796-FBED-4CCB-B9FC-2A2370CEACF0@.microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.sqlserver.security
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.sqlserver.security:4976
>X-Tomcat-NG: microsoft.public.sqlserver.security
>
>We have started seeing a lot of failure audits on our sql server after we
>gave a couple of domain users access to the SQL DB. The users have
>permissions to read/write to certain tables in some databases. Any idea
what
>is causing this?
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Object Access
>Event ID: 560
>Date: 5/5/2005
>Time: 1:08:00 PM
>User: <<DOMAIN\KNOWN_USER_NAME>>
>Computer: <<SERVER_NAME>>
>Description:
>Object Open:
> Object Server: SC Manager
> Object Type: SC_MANAGER OBJECT
> Object Name: ServicesActive
> Handle ID: -
> Operation ID: {0,<<000000000>>}
> Process ID: 844
> Image File Name: C:\WINDOWS\system32\services.exe
> Primary User Name: <<SERVER_NAME>>$
> Primary Domain: SAGO
> Primary Logon ID: (0x0,0x<<000>> )
> Client User Name: <<KNOWN_USER_NAME>>
> Client Domain: SAGO
> Client Logon ID: (0x0,0x<<00000000>> )
> Accesses: READ_CONTROL
> Connect to service controller
> Enumerate services
> Query service database lock state
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x20015
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>
>|||Wang,
You are right in that these people have a connection to our SQL server
(SQL-A) defined in MMC. But we are not sure what action they perform which
causes this to happen.
As far as actions go, users perform simple tasks like opening tables,
performing simple queires.
We even have one user who is not connected to the SQL-A server (although he
has the server registered under mmc), but he is connected to a different SQL
server through MMC, and at the same time, we have failure audits for that
person in the event log.
Looking at his MMC, I can see that he is connected to his local SQL server-
at the same time, there is a round circle with no green arrow inside for the
SQL-A server. So looks like MMC is attempting to poll SQL-A to see if it is
active but it is failing.
Looking at the event log, we have one entry every 10-15 seconds per person.
We would like for a way to stop these entries from showing up in the
security event log.
Thanks!
"William Wang[MSFT]" wrote:

> Based on my experience, this error usually occurs when a user
> (DOMAIN\KNOWN_USER_NAME) makes a connection via a MMC and they do not have
> the permissions to perform this action.
> Can you identify what actions were performing at that time this error was
> logged? In addition, is there any business impact casued by this error? Do
> the domain users have any difficulty doing their job?
> Sincerely,
> William Wang
> Microsoft Online Partner Support
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> --
> what
>|||This issue does not seem to be related to SQL server itself. I've seen a
similar issue before which occurs on a machine with multiple NICs
installed. If you have multiple NICs, I suggest that you temporarily
disable the unused ones for testing purpose.
If the issue persists, please check if the issue occurs with a user with
local admin right.
Because the issue occurs when users are getting Object Access Failure when
trying to access a server, you may want to use filemon/regmon (which can be
downloaded from www.sysinternals.com) to monitor the "access denied" error.
Third-Party Link Disclaimer
===========
This response contains a reference to a third-party World Wide Web site.
Microsoft is providing this information as a convenience to you. Microsoft
does not control these sites and has not tested any software or information
found on these sites; therefore, Microsoft cannot make any representations
regarding the quality, safety, or suitability of any software or
information found there. There are inherent dangers in the use of any
software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from
the Internet.
Sincerely,
William Wang
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
=============
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.
This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/te...erview/40010469
Others: https://partner.microsoft.com/US/te...upportoverview/
If you are outside the United States, please visit our International
Support page:
http://support.microsoft.com/defaul...rnational.aspx.
========================================
=============
This posting is provided "AS IS" with no warranties, and confers no rights.
--
>Thread-Topic: Failure Audit log
>thread-index: AcVX0ejCUeEAKnwdQfyIE+x61JsD+g==
>X-WBNR-Posting-Host: 128.194.92.153
>From: "examnotes" <stech@.nospam.nospam>
>References: <DA088796-FBED-4CCB-B9FC-2A2370CEACF0@.microsoft.com>
<xqiJe3rVFHA.460@.TK2MSFTNGXA01.phx.gbl>
>Subject: RE: Failure Audit log
>Date: Fri, 13 May 2005 08:39:11 -0700
>Lines: 118
>Message-ID: <F85CF50F-70C9-401E-92BF-F161EF680A2D@.microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.sqlserver.security
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA
03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.sqlserver.security:4995
>X-Tomcat-NG: microsoft.public.sqlserver.security
>Wang,
>You are right in that these people have a connection to our SQL server
>(SQL-A) defined in MMC. But we are not sure what action they perform which
>causes this to happen.
>As far as actions go, users perform simple tasks like opening tables,
>performing simple queires.
>We even have one user who is not connected to the SQL-A server (although
he
>has the server registered under mmc), but he is connected to a different
SQL
>server through MMC, and at the same time, we have failure audits for that
>person in the event log.
>Looking at his MMC, I can see that he is connected to his local SQL
server-
>at the same time, there is a round circle with no green arrow inside for
the
>SQL-A server. So looks like MMC is attempting to poll SQL-A to see if it
is
>active but it is failing.
>Looking at the event log, we have one entry every 10-15 seconds per
person.
>We would like for a way to stop these entries from showing up in the
>security event log.
>Thanks!
>
>"William Wang[MSFT]" wrote:
>
have[vbcol=seagreen]
was[vbcol=seagreen]
Do[vbcol=seagreen]
rights.[vbcol=seagreen]
we[vbcol=seagreen]
>