The Security Options for a Group Policy Object (GPO) include a policy called Audit the access of global system objects. What does this policy do? Should I enable it?
This policy corresponds to the AuditBaseObjects value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey. If you open Computer Configuration, Windows Settings, Security Settings, Local Policies and enable this policy, Windows 2000 audits low-level system objects (e.g., mutexes, events, semaphores), so you can track objects that programs access. However, this auditing can result in an overwhelming accumulation of events in your Security log. These events are useful to Win32 programmers for debugging but offer little practical value to administrators.
We've found some events in the Security log that we don't recognize. Recently, we enabled Audit account management on our domain controllers (DCs). Now, whenever we change, add, or remove members from certain groups, we receive unexpected event IDs. For example, when we add a member to a global group, we expect to see event ID 632 (Security Enabled Global Group Member Added) but instead see event ID 655 (Security Disabled Global Group Member Added.) What do security enabled and security disabled mean?
Active Directory (AD) groups can be one of two types (security or distribution) and one of three scopes (local, global, or universal). You can use security groups in ACLs, assigned rights, and any other security-related setting. You can also use security groups as a distribution list (DL) in a Microsoft Exchange Server environment. However, you can use distribution groups only in Exchange and Microsoft Outlook—not for any security-related setting. Local, global, and universal scopes control where in the forest you can grant a group permission and why scopes of groups can be nested inside of one another. In the Security log, Windows 2000 refers to security groups as security-enabled groups and distribution groups as security-disabled groups and lists a full set of group maintenance event IDs for each operation on each scope of group. Evidently, your HRReportDistribution group is a distribution group, hence the unexpected event IDs. Because distribution groups are irrelevant to security, you can probably ignore event IDs 648 through 657. For a complete list of these events, see http://www.counterpane.com/log-windows.html.
Register
