Event ID 578 SeTcbPrivilege

[cookie_monster]

I'm seeing this event on one of our servers, Web and print server it has only started recently and i'm pretty sure that nothing has changed. I'm having a bit of trouble identifying the source has anyone had this before?

This is on a 2003 R2server with SP2.

Faliure
Source: Security
Event ID 578
Privileged object operation:
Object Server: Security
Object Handle: 0
Process ID: 2520
Primary User Name: user
Primary Domain: BCS
Primary Logon ID: (0x0,0x3B06C)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTcbPrivilege

This is what MS say i've checked and no one has the "Act as part of the operating system" rights the same as on our other 2003 servers. The username in the faliure event is the domain admin account.

Act as part of the operating system
Look for Event ID 577 or 578 with the SeTcbPrivilege access privilege indicated. The user account
that made use of the user right is identified in the event details. This event can indicate a user's
attempt to elevate security privileges by acting as part of the operating system. For example, the
GetAdmin attack, where a user attempts to add their account to the Administrators group uses this
privilege. The only entries for this event should be for the System account, and any service
accounts assigned this user right.

[Geoff]

Is the webserver accessible externally?

[cookie_monster]

No it's only an intranet server.