Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Microsoft

Journal Ayanami Rei's Journal: Windows XP and 2003 + auditing == issues 2

Journal by Ayanami Rei

Has anyone else experienced this?

Pre-requisites:

1) A system with Windows XP or Server 2003
2) A bunch of local users without administrative privledges
3) Poorly written software that triggers the following issue:
MSKB 837115
4) You've enabled the option "Audit: Shut down system immediately if unable to log security audits" under Local Security Policy (i.e. HKLM\System \CurrentControlSet\Control\Lsa\CrashOnAuditFail = 1)

Symptom:

One day your users call you up and claim "I can't log in anymore! It says 'User is not permitted to login at this computer'". You scratch your head in confusion.

You think to yourself: Did auditing fail for some reason, thus preventing mortals from using the system? Check the security log... no, it's not even close to full. Check for low disk space ... no you've got plenty.

So then you check your System log and you see a bunch of event IDs of 1517 and 1524 leading up to the point where people couldn't log in anymore. Userenv is complaining about profiles not unloading probably.

You're thinking: shit... user profile corruption. So you try restoring the user profiles from backup... no dice. The only thing that works is adding the user to Administrator group temporarily.

Actual Cause:

Unknown... but the real problem seems to be that sometimes when userenv tries putting off unloading a profile, it can cause auditing to fail. I can't figure out why. The result of auditing failing is... the system immediately shuts down and reboots, and then no one but Administrator can log in.

That is until you disable the CrashOnAuditFail setting... reboot, then re-enable it, and reboot again. At this point users can log in. (Incidentally, you _still_ need to do this if auditing fails because of a disk space condition, deleting files to make space is only the first part, then you need to do the disable->reboot->re-enable->reboot dance)

Problem 'solved'.

I've had this happen twice so far, and that UPHclean tool that Microsoft has doesn't seem to really do anything that I can tell. Anyone have any experience with this or have any insight?
We'd like to get to the bottom of this and really fix the problem.

Thanks.

This discussion has been archived. No new comments can be posted.

Windows XP and 2003 + auditing == issues More

Windows XP and 2003 + auditing == issues

Comments Filter:
  • *Mutters something about switching to an operating system that works*
    • We actually did just that on the previous machine it happened to (before we figured out that you could recover from it). We went to RHEL WS and no one complained. Auditing and everything, working just fine.

      But we need this one box to be a windows box...

Slashdot Top Deals

Neutrinos have bad breadth.

Close