Wednesday, December 28, 2011

SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account

In this post I will share with you the resolution to a problem I had on one of my clients Exchange environments. The following error was experienced in the event logs of my Exchange 2010 servers.

Log Name: Application
Source: MSExchange SACL Watcher
Date: 28/12/2011 11:00:43 AM
Event ID: 6006
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: exchangeserver.domain.local
Description:
SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account S-1-5-21-54938807-350570593-2036031536-21088.




Next I used LDP.exe to translate the SID from the error message into something readable.





After investigating the problem I found out that "SeSecurityPrivilege privilege" translates to "Manage audit and security log" under user rights assignment in group policy. Exchange setup automatically adds "DOMAIN\Exchange Enterprise Servers" and "DOMAIN\Exchange Servers" to the "Manage audit and security log" user rights assignment on the Default Domain Controllers Policy.



My client had unlinked the Default Domain Controllers Policy from the Domain Controllers OU and created their own custom policy - NOT RECOMMENDED. Restoring this policy resolved the problem.

7 comments:

  1. I actually enjoyed reading through this posting.Many thanks.


    Management Audit

    ReplyDelete
  2. Great information on a tricky, not very common issue! Tnx,
    David

    ReplyDelete
  3. I've googled once before to find out if there's actually anything about the "default domain controller policy" and "default domain policy" that's special or would act differently than a custom policy and did not turn up any results. Can you provide any documentation, links, or explanations as to why it matters if I create my own policy for domain controllers versus using the "default" policy? Additionally, is there a way to identify/restore the default policy after it has been deleted or renamed beyond recognition?

    ReplyDelete