Microsoft KB Archive/264769

= Event ID 576 Fills the Security Event Log When Auditing =

Article ID: 264769

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



This article was previously published under Q264769



SYMPTOMS
When you open Event Viewer, you notice that the following event message has filled the Security log:

Event: 576

Source: Security

Type: Success Audit

Category: Privilege Use



CAUSE
This behavior can occur when the audit policy includes auditing for the successful use of user rights.



RESOLUTION
Change the audit policy to discontinue auditing for the successful use of user rights.



MORE INFORMATION
To change the audit policy to stop auditing the successful use of user rights, follow these steps:

For Windows NT 4.0

 * 1) Start User Manager for Domains.
 * 2) On the Policies menu, click Audit.
 * 3) In the Audit Policy dialog box, for the object Use of User Rights, click to clear the Success check box, and then click OK.
 * 4) Quit User Manager for Domains.

If you set the audit policy on a domain basis

 * 1) Under Administrative Tools, launch the Domain Security Policy.
 * 2) Under Security Settings click Local Policies, and then click audit Policy.
 * 3) Click Audit Privlege Use and click to clear the Success check box.
 * 4) At the command line type secedit /refreshpolicy machine_policy.

If you set the audit policy at the local computer

 * 1) Under Administrative Tools, launch the Local Security Policy.
 * 2) Under Security Settings click Local Policies, and then click Audit Policy.
 * 3) Click Audit Privledge Use and click to clear the Success check box.
 * 4) At the command line, type secedit /refreshpolicy machine_policy.

Keywords: kbprb KB264769

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.