Important Event IDs under Windows Server 2003

If your server is running Windows Server 2003, you'll also see event ID 567 (Object Access Attempt) in between event IDs 560 and 562. Event ID 567 is part of Windows 2003's new operation-based auditing. network inventory audit software lets you identify permissions that a user actually exercises as opposed to permissions that a user has but doesn't use. For instance, a program might open a file for read and write access (triggering an event ID 560 that shows both read and write access) but never actually write any data to the file. Windows 2003 logs event ID 567 the first time an application actually uses each permission while the file is open. A permission change operation is atomic (i.e., the object isn't opened for delete and then deleted-it's just deleted), so there's no need to look for event ID 567-it should always be there.