Hello,As the subject says, I enabled auditing via local security policy on a windows 2003 server. Just out of the box I am seeing a ton of events about object access success on system executables such as this:Event Type:Success AuditEvent Source:SecurityEvent Category:Object Access Event ID:562Date:10/1/2009Time:2:13:49 PMUser:tdComputer:OMAJELUTIL02Description:Handle Closed:Object Server:SecurityHandle ID:656Process ID:4244Image File Name:C:\WINDOWS\system32\mmc.exeI have not set any audit settings on any specific folders or files (yet). Are there some default settings that are forcing these audit events to be generated?Thanks!

Hi,You have configured the Audit Policy Setting for 'Object Access'. This will Audit the Event of a User accessing the Object such as a File, Folder, Printer etc on that Server (since you configured the Local Policy).The above Event clearly shows that the Requesting Machine is OMAJELUTIL02 and the User is 'td' who sucessfully accessed 'mmc.exe'.To me it looks fine and working the way it should. Where do you see issues ?Thanks,Nitin

TD,A lot of objects have default audit settings enabled, so what you are seeing is expected. That's why you should only enable it when needed and you have suitable resources available for sorting through the large volume of events. Regards,KurtKurt Dillard http://www.kurtdillard.com