Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 6006 Source: MSExchangeSACLWatcher

Level
Description
SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account S-1-5-21-1383866989-2534750834-1582297112-1114.
Comments
 
In my case I was getting this error every 5 minutes exactly. I ran the Sysinternals "psgetsid" to translate the SID into a friendly name. It turned out this was the CONTOSO\Exchange Servers Group.

These sites pointed me in the right direction but did not completely solve the mystery for me:

EV100533 (SeSecurityPrivilege privilege is removed from account)

EV100534 (SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account)

EV100535 (SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account)

Upon further investigation I found that while the Exchange Server was a member of that group and that there was a default domain controllers policy AND the default domain controllers policy was linked to the OU containing the domain controllers unfortunately there was also a default domain policy that was linked to that OU and winning out. As a work around I added the "Exchange Servers" group to the "Manage auditing and security log" setting in the Default Domain Policy. Once this was done and group policy was refreshed on the domain controllers the errors stopped.

Obviously the default domain policy overriding the default domain controllers policy needs to be dealt with but that has much more significant implications than just adding the Exchange Servers group to the default domain policy.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...