Security Event Error 521

Belan Marek 51 Reputation points
2022-12-07T10:55:36.93+00:00

On one of our DC we are starting have event 521. On second DC its ok.521 have 0x80000005 which means access denied.

How can we find process which trying to write co sec events?

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System> <Provider Name="Security" />
<EventID Qualifiers="0">521</EventID>
<Level>0</Level>
<Task>1</Task>
<Keywords>0xa0000000000000</Keywords>
<TimeCreated SystemTime="2022-12-07T06:22:45.203496300Z" />
<EventRecordID>2604507626</EventRecordID>
<Channel>Security</Channel>
<Computer>DC1</Computer>
<Security UserID="S-1-5-18" />
</System> - <EventData> <Data>0x80000005</Data> <Data>0</Data> <Data>1</Data> </EventData> </Event>

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,110 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,840 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,931 Reputation points
    2022-12-08T10:28:16.433+00:00

    Hello there,

    You can use process monitor to find the process. This event is logged if Windows was unable to write events to the Security event log. The code for the reason of occurrence. Whether the system should halt when not able to write to security log.

    Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

    ----------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--