Here's another OpsMgr 2007 tip from Milan Jajal, a support engineer in our Manageability group. I hate to steal his thunder, but he basically says that if you're seeing 570 security audit failures sourced from Microsoft Operations Manager then you can probably ignore them:
Issue: On a System Center Operations Manager 2007 Root Management Server (RMS) you may get Failure Audit events in the Security event log every few seconds. These events may look like this:
Event Type: Failure Audit Event Source: Security Event Category: Object Access Event ID: 570 Date: <date> Time: <time> User: DOMAIN\User Account Computer: <computer name> Description: Application operation attempt: Application Name: Microsoft Operations Manager Application Instance ID: (0x0,0x36F49) Object Name: GetUserRolesForOperationAndUser Scope Names: 2537b367-6d74-4110-b0b5-1f51c1b1b09e Client Name: DataReaderAccount Client Domain: DOMAIN Client Context ID: (0x0,0x48D90F9) Role: Role Groups: Group Operation Name: UserRole__Get (150)
Cause: This is actually expected behavior. The event observed with auditing enabled can be safely ignored as it has no impact on the functionality of SCOM 2007.
More Information: The reason these events occur is because Operations Manager queries all the roles that the Data Warehouse writer account has been assigned to and the data warehouse writer account is part of the user roles:
The Operations Manager Report Operators role does not have permissions to the UserRole__Get operation mentioned in the event, however the Operations Manager Report Security Administrators role does have permission to this operation. Since Operations Manager queries all of these user roles for permissions to the UserRole__Get operation, and because the 'Operations Manager Report Operators' role does not have permissions to this operation, we get the security audit failure events. However when we then query the Operations Manager Report Security Administrators role we get the success meaning we access and execute the operation successfully on the second attempt. Therefore the first-attempt failures can be ignored.
J.C. Hornbeck | Manageability Knowledge Engineer