Object Access Event: 560

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Object Access » Object Access Event: 560

Event ID 560 – Object Open

Event ID 560
Category Object Access
Type Success Audit; Failure Audit
Description A program has opened an object.

When a program opens an object, event ID 560 is logged. The opening of the object can be of the following types:

— The audit policy for the object has enabled the requested access type to be audited.

— Auditing the object depends on the success or failure of opening it.

— The audit policy of the object has included the current account being used to run the program in its list of approved accounts (for auditing)

If the opening is a failure, only event 560 will be logged. If it is a success, event 562 will be logged subsequent to the logging of 560.

This log data provides the following information:

  • Object Type
  • Object Name
  • New Handle ID
  • Operation ID
  • Process ID
  • Image File Name
  • Primary Fields
  • Client Fields
  • Logon IDs
  • Access

Why does event ID 560 need to be monitored?

  • To track failed and successful attempts to access files and other Windows objects
  • To prevent privilege abuse
  • To detect abnormal and potentially malicious activity
  • To ensure compliance with regulatory mandates

Pro Tip:

ADAudit Plus provides real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports provide detailed information about object related events.

Event 560 applies to the following operating systems:

  • Windows Server 2000
  • Windows 2003 and XP

Corresponding event ID in Windows 2008 and Windows Vista is 4656