DOCUMENT:Q264769 08-AUG-2001 [winnt] TITLE :Event ID 576 Fills the Security Event Log When Auditing PRODUCT :Microsoft Windows NT PROD/VER::2000,4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows 2000 Server ------------------------------------------------------------------------------- SYMPTOMS ======== When you open Event Viewer, you notice that the following event message has filled the Security log: Event: 576 Source: Security Type: Success Audit Category: Privilege Use CAUSE ===== This behavior can occur when the audit policy includes auditing for the successful use of user rights. RESOLUTION ========== Change the audit policy to discontinue auditing for the successful use of user rights. MORE INFORMATION ================ To change the audit policy to stop auditing the successful use of user rights, follow these steps: For Windows NT 4.0 ------------------ 1. Start User Manager for Domains. 2. On the Policies menu, click Audit. 3. In the Audit Policy dialog box, for the object Use of User Rights, click to clear the Success check box, and then click OK. 4. Quit User Manager for Domains. For Windows 2000 Server ----------------------- If you set the audit policy on a domain basis: 1. Under "Administrative Tools", launch the Domain Security Policy. 2. Under "Security Settings" click "Local Policies", and then click audit Policy. 3. Click "Audit Privlege Use" and click to clear the Success check box. 4. At the command line type "secedit /refreshpolicy machine_policy" (without the quotation marks). If you set the audit policy at the local computer: 1. Under "Administrative Tools", launch the Local Security Policy. 2. Under "Security Settings" click "Local Policies", and then click "Audit Policy". 3. Click "Audit Privledge Use" and click to clear the Success check box. 4. At the command line, type "secedit /refreshpolicy machine_policy" (without the quotation marks). Additional query words: ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 Version : :2000,4.0 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.