Event ID 560 is logged every time that you refresh the security log in Windows Server 2003

When you view the security log in Event Viewer, an event that is similar to the following may be logged every time that you refresh the log:

This problem may occur when the "Audit object access" Group Policy setting is configured to audit successful attempts to gain write access to an object that has a system access control list (SACL).

When Event Viewer refreshes the log view, it closes and reopens a handle to the registry subkey where the settings for the security event log are located. This handle requests SetValue access. This request triggers the audit. By default, the SACL for this registry subkey audits all write handles to the subkey that are successfully opened.

To resolve this problem, configure the SACL for the registry key not to log successful attempts to gain write access when they are made by members of the Administrators group or by other users who have permission to view the security event log. To do this, follow these steps to replace the Everyone account with an account that does not contain members of the Administrators group.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Start Registry Editor.
2. Locate and then right-click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security
3. Click Permissions.
4. Click Advanced.
5. In the Auditing entries list, click the group that contains members of the Administrators group. (This group is most likely the Everyone group.) Click Edit.
6. Write down which check boxes are selected in the Access box, and then click Cancel.
7. In the Auditing entries list, click Everyone, and then click Remove.
   
   Important Everyone may not be listed in the Auditing entries list. However, it is important to make sure that the ACL does not contain a group that includes administrators.
8. Click Add.
9. In the Select User, Computer or Group box, type the name of a group that contains all users but does not include the Administrators group.
   
   For example, type Domain Users, and then click OK.
10. Click to select the same check boxes that were selected in the Access box of the Everyone group, and then click OK.
    
    Note These are the check boxes that you wrote down in step 6.
11. Click OK two times.
12. Quit Registry Editor.

To work around this problem, follow these steps to configure the "Audit object access" Group Policy setting not to audit any successful attempts to gain write access.

Note This configuration disables all object access audits.

1. Click Start, click Run, type gpedit.msc, and then click OK to start Group Policy Object Editor.
2. Under Local Computer Policy, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
3. In the details pane, double-click Audit object access.
4. In the Audit object access Properties dialog box, click to clear the Success check box and the Failure check box.
5. Click OK.
6. Quit Group Policy Object Editor.

Note This workround may not work if the policy is applied on the domain.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.