Event ID 576 Fills the Security Event Log When Auditing (264769)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.0
This article was previously published under Q264769

SYMPTOMS

When you open Event Viewer, you notice that the following event message has filled the Security log:

Event: 576
Source: Security
Type: Success Audit
Category: Privilege Use

CAUSE

This behavior can occur when the audit policy includes auditing for the successful use of user rights.

RESOLUTION

Change the audit policy to discontinue auditing for the successful use of user rights.

MORE INFORMATION

To change the audit policy to stop auditing the successful use of user rights, follow these steps:

For Windows NT 4.0

  1. Start User Manager for Domains.
  2. On the Policies menu, click Audit.
  3. In the Audit Policy dialog box, for the object Use of User Rights, click to clear the Success check box, and then click OK.
  4. Quit User Manager for Domains.

For Windows 2000 Server

If you set the audit policy on a domain basis

  1. Under Administrative Tools, launch the Domain Security Policy.
  2. Under Security Settings click Local Policies, and then click audit Policy.
  3. Click Audit Privlege Use and click to clear the Success check box.
  4. At the command line type secedit /refreshpolicy machine_policy.

If you set the audit policy at the local computer

  1. Under Administrative Tools, launch the Local Security Policy.
  2. Under Security Settings click Local Policies, and then click Audit Policy.
  3. Click Audit Privledge Use and click to clear the Success check box.
  4. At the command line, type secedit /refreshpolicy machine_policy.
Modification Type:MajorLast Reviewed:10/11/2002
Keywords:kbprb KB264769
©2002 Microsoft Corporation. All rights reserved.