Hey guys,

I work in a secure environment and we have to have auditing on for a lot
of things. I have Object Access set to Failure and for some reason on
some machines on some domains I have a ton of entries (45 megs worth in
a day) because of failure audits being reported on behalf of the user
logged in where explorer.exe is trying to access
/device/netbt_tcpip.... There is a long string of numbers after the
tcpip part but I don't have access to the value because it is on a
secure private network and I'm not at work right now. I've searched on
google to find out why the failure audit occurs and no one seeems to
know. I found out that netbt_tcpip is the netbios over tcpip protocol
on the network but we netbios over tcpip disabled on the machines. The
users do access fileshares if that makes a difference.

As a side note, I'm a domain admin and on my machine I have a ton of
success audits (slightly different security policy, long story) that
fill up my security log. The audits are for the same thing but since
Successes are not the norm and it's on my own machine I can deal with
that.

thanks
Brandon