We have auditing enabled on a certain folder, and we're seeing frequent access failures—event ID 560 (object open)—for a certain user account. But we don't know what system this user is logged on to or what he or she is doing to create the access failures. How can we find out?
The best way to determine what the user is actually doing to cause the access failure is to find out what program she's using to try to open the object. Event ID 560 provides both the ID of the user's logon session (Logon ID) and the ID of the process attempting to access the file (Process ID). Find the corresponding logon event to find out the type of logon session (e.g., interactive, Terminal Services, network share, service). The logon event on Windows Server 2003 also provides the IP address of the user's client computer if the user isn't already logged on at the console of the local system.
First, make sure Audit logon events is enabled in Local Security Policy\Local Policies\Audit Policy or within an applicable GPO under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy. (If it isn't, you'll need to turn it on and wait until a few more event ID 560s show up before proceeding.) Then take note of the Primary Logon ID and Client Logon ID fields in event ID 560. Use the Client Logon ID value if there is one, otherwise use the Primary Logon ID.
Next, look for a previous instance of event ID 540 (successful network logon) or event ID 528 (successful logon) with the same logon ID. The time of the event is the time when the account logged on. The Logon Type field in the event will tell you how the user logged on. For a list of Logon Type values and their meanings, go to https://www.ultimatewindowssecurity.com/logontypes.html. The logon type helps you determine where the user is. For example, a Logon Type value of 2 tells you that the access attempt originated on the local system. If the logon type value indicates a logon from somewhere else on the network, such as Logon Type 3 (Network) or Logon Type 10 (Terminal Services), look further down the event description and you'll find the Source Network Address field, which reveals the IP address of the computer from which the user logged on to the system that generated the event.
On Windows 2003, event ID 560 adds the Image File Name field, which identifies the executable that attempted to access the file. If you're running Windows 2000, you can discover the executable by enabling Audit process tracking, then looking for an event ID 592 (a new process has been created) that precedes the event ID 560 that you're interested in and that has the same Process ID value. Event ID 592 reports the full path of the executable.