Access Denied--Understanding the User Privileges that Event ID 578 Logs

I understand from "Detect When Someone Views or Dumps the Security Log," June 2001, InstantDoc ID 20912, that event ID 578 (privileged object operation), in which Object Server is EventLog and the privilege is SeSecurityPrivilege, indicates that the specified user viewed the Security log. However, I sometimes find other occurrences of event ID 578 in which the privilege is SeSecurityPrivilege but Object Server is either Security or Directory Service (DS). What do these events indicate?

Windows 2000 logs event ID 578 whenever someone uses a user right. Event ID 578 identifies the user right with the term privilege. SeSecurityPrivilege is the short name for the Manage auditing and the security log right. This right lets you use Event Viewer to both view and clear the Security log and edit the audit control list of objects such as files, folders, printers, registry keys, and Active Directory (AD) objects. An object's audit control list specifies which types of access the Security log should record for that object. For example, you can audit each time someone successfully opens a file for write access.

To view an object's audit control list, open its Properties dialog box and select the Security tab. Click Advanced, then select the Auditing tab, which Figure 4 shows. The Object Server in event ID 578's description identifies which of these two actions triggered the use of SeSecurityPrivilege. If the Object Server is EventLog, the specified user queried the event log. If the Object Server is Security, the specified user changed the audit control list of an object. You can determine which object's audit control list the user changed only if you've previously enabled auditing of successful permission changes on that object. In that case, you should be able to find an event ID 560 (object open) that lists the same handle ID. (A program obtains a handle ID when it opens an object; the program must then supply that handle ID for all subsequent operations on that object.) Event ID 560 identifies the actual name of the file, folder, registry key, or printer. When you edit the audit control list of an AD object, such as a user account, event ID 578 lists the Object Server as DS instead of Security.