OpsMgr 2007: Failure Audit events 570 in Security event log of RMS server

  • Article

Here's another OpsMgr 2007 tip from Milan Jajal, a support engineer in our Manageability group.  I hate to steal his thunder, but he basically says that if you're seeing 570 security audit failures sourced from Microsoft Operations Manager then you can probably ignore them:

========

Issue: On a System Center Operations Manager 2007 Root Management Server (RMS) you may get Failure Audit events in the Security event log every few seconds.  These events may look like this:

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 570
Date: <date>
Time: <time>
User: DOMAIN\User Account
Computer: <computer name>
Description:
Application operation attempt:
Application Name: Microsoft Operations Manager
Application Instance ID: (0x0,0x36F49)
Object Name: GetUserRolesForOperationAndUser
Scope Names: 2537b367-6d74-4110-b0b5-1f51c1b1b09e
Client Name: DataReaderAccount
Client Domain: DOMAIN
Client Context ID: (0x0,0x48D90F9)
Role: Role
Groups: Group
Operation Name: UserRole__Get (150)

Cause: This is actually expected behavior.  The event observed with auditing enabled can be safely ignored as it has no impact on the functionality of SCOM 2007. 

More Information: The reason these events occur is because Operations Manager queries all the roles that the Data Warehouse writer account has been assigned to and the data warehouse writer account is part of the user roles:

  • Operations Manager Report Operators
  • Operations Manager Report Security Administrators

The Operations Manager Report Operators role does not have permissions to the UserRole__Get operation mentioned in the event, however the Operations Manager Report Security Administrators role does have permission to this operation.  Since Operations Manager queries all of these user roles for permissions to the UserRole__Get operation, and because the 'Operations Manager Report Operators' role does not have permissions to this operation, we get the security audit failure events. However when we then query the Operations Manager Report Security Administrators role we get the success meaning we access and execute the operation successfully on the second attempt.  Therefore the first-attempt failures can be ignored.

========

Thanks Milan!

J.C. Hornbeck | Manageability Knowledge Engineer