Event ID/Source search
Keyword searchExample: Windows cannot unload your registry file
Event ID: 6006 Source: MSExchange SACL Watcher
|Source: MSExchange SACL Watcher|
SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account S-1-5-21-1383866989-2534750834-1582297112-1114.
|English: Request a translation of the event description in plain English.|
Jonathan L. Raper
In my case I was getting this error every 5 minutes exactly. I ran the Sysinternals "psgetsid" to translate the SID into a friendly name. It turned out this was the CONTOSO\Exchange Servers Group.
These sites pointed me in the right direction but did not completely solve the mystery for me:
EV100533 (SeSecurityPrivilege privilege is removed from account)
EV100534 (SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account)
EV100535 (SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account)
Upon further investigation I found that while the Exchange Server was a member of that group and that there was a default domain controllers policy AND the default domain controllers policy was linked to the OU containing the domain controllers unfortunately there was also a default domain policy that was linked to that OU and winning out. As a work around I added the "Exchange Servers" group to the "Manage auditing and security log" setting in the Default Domain Policy. Once this was done and group policy was refreshed on the domain controllers the errors stopped.
Obviously the default domain policy overriding the default domain controllers policy needs to be dealt with but that has much more significant implications than just adding the Exchange Servers group to the default domain policy.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated