Event 560, 562 When No Objects Have Been Selected for Auditing

• Microsoft Windows NT Workstation versions 3.5 and 3.51
• Microsoft Windows NT Server versions 3.5 and 3.51
• Microsoft Windows NT Workstation version 4.0
• Microsoft Windows NT Server version 4.0

SYMPTOMS

If you choose Audit on the Policies menu and enable the Auditing File and Objects Access option in User Manager for Domains without specifying any objects to be audited, event 560 and event 562 will be logged in the

 security log file. Any action performed by the Administrator account in
 User Manager for Domains (or Server Manager) will be logged as an event
 560 for the Administrator account and as an event 562 for the System
 account.

CAUSE

By default, the Auditing File and Objects Access option audits all action performed in User Manager for Domains (and in Server Manager).

RESOLUTION

This is by design. Security Account Manager (SAM), by default, assigns security access control lists (SACLs) to all objects it creates, and managing them with User Manager causes an object access audit to occur.