Event Log ID 5145 - Detailed File Sharing

-

we have auditing turned on our server on 1 file in order determine computers accessing file.  have few computers accessing file (not workstations) though have no reason programmatically access files.  how  can determine why these workstations accessing file , disable it.  below sample:

- system
- provider
[ name] microsoft-windows-security-auditing
[ guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
eventid 5145
version 0
level 0
task 12811
opcode 0
keywords 0x8020000000000000
- timecreated
[ systemtime] 2012-10-17t16:13:09.381066300z
eventrecordid 1038283
correlation
- execution
[ processid] 444
[ threadid] 460
channel security
computer sbistream.sheridanbooks.com
security
- eventdata
subjectusersid s-1-5-21-1993962763-1708537768-839522115-1357
subjectusername eblissic
subjectdomainname sbi
subjectlogonid 0x15329a4
objecttype file
ipaddress 10.2.40.59
ipport 64853
sharename \\*\stream
sharelocalpath \??\e:\stream
relativetargetname $extend\$quota:$q:$index_allocation
accessmask 0x12019f
accesslist %%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424
accessreason %%1538: %%1801 d:(a;;fa;;;wd) %%1541: %%1801 d:(a;;fa;;;wd) %%4416: %%1801 d:(a;;fa;;;wd) %%4417: %%1801 d:(a;;fa;;;wd) %%4418: %%1801 d:(a;;fa;;;wd) %%4419: %%1801 d:(a;;fa;;;wd) %%4420: %%1801 d:(a;;fa;;;wd) %%4423: %%1801 d:(a;;fa;;;wd) %%4424: %%1801 d:(a;;fa;;;wd)

this on client (workstation) side. use process monitor reveal problem causing process.

rgds

milos



Windows Server  >  Windows Server General Forum



Comments

Post a Comment

Popular posts from this blog

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

-
looking options resolve error , prevent in future. thanks help. hardware: 2 node dell hv cluster running2012r2 dc 8 nic/ea in multiplex mode 4x hyper-v 4x hosts storage: 2x synology nas, accessed through iscsi hosts , cluster relevant logs: log name:      microsoft-windows-failoverclustering/diagnostic source:        microsoft-windows-failoverclustering date:          event id:      2050 task category: none level:         warning keywords:       user:          system computer:      l description: [dcm] filter wimmount found @ unsafe altitude 180700 log name:      system source:        microsoft-windows-failoverclustering date:         event id:      5125 task category: cluster shared volume level:         warning keywords:       user:          system computer: description: cluster shared volume 'volume1' ('cluster disk 1') has identified 1 or more active filter drivers on device stack interfere csv operatio
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema    running partition tests on : configuration    running partition tests on : test    running enterprise tests on : test.com       starting test: dns          test results domain
Read more

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authentication type: - eap t
Read more