Re: Event ID 565

From: Tom Grassi (tom@tgcsnet.com)
Date: 05/23/02 

From: "Tom Grassi" <tom@tgcsnet.com>
Date: Wed, 22 May 2002 22:54:05 -0400

Eric

I am getting s similar event: It only happens at system startup of a member
server that was a DC. I recently demoted it to a member server.

Here are my event 565 messages.

Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 5/22/2002
Time: 4:50:26 PM
User: HARMONY\TGCS-PHI1-NT$
Computer: TGCS-PHI4-NT
Description:
Object Open:
  Object Server: DS
  Object Type: computer
  Object Name: CN=TGCS-PHI1-NT,CN=Computers,DC=Harmony,DC=com
  New Handle ID: -
  Operation ID: {0,114446}
  Process ID: 260
  Primary User Name: TGCS-PHI4-NT$
  Primary Domain: HARMONY
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: TGCS-PHI1-NT$
  Client Domain: HARMONY
  Client Logon ID: (0x0,0x1BF02)
  Accesses Write Property

  Privileges -

 Properties:
Create Child
Control Access
  Public Information
   servicePrincipalName

Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 5/22/2002
Time: 4:50:26 PM
User: HARMONY\TGCS-PHI1-NT$
Computer: TGCS-PHI4-NT
Description:
Object Open:
  Object Server: DS
  Object Type: computer
  Object Name: CN=TGCS-PHI1-NT,CN=Computers,DC=Harmony,DC=com
  New Handle ID: -
  Operation ID: {0,114448}
  Process ID: 260
  Primary User Name: TGCS-PHI4-NT$
  Primary Domain: HARMONY
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: TGCS-PHI1-NT$
  Client Domain: HARMONY
  Client Logon ID: (0x0,0x1BF02)
  Accesses Write Property

  Privileges -

 Properties:
Create Child
Control Access
  Public Information
   servicePrincipalName

Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 5/22/2002
Time: 4:50:27 PM
User: HARMONY\TGCS-PHI1-NT$
Computer: TGCS-PHI4-NT
Description:
Object Open:
  Object Server: DS
  Object Type: computer
  Object Name: CN=TGCS-PHI1-NT,CN=Computers,DC=Harmony,DC=com
  New Handle ID: -
  Operation ID: {0,114532}
  Process ID: 260
  Primary User Name: TGCS-PHI4-NT$
  Primary Domain: HARMONY
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: TGCS-PHI1-NT$
  Client Domain: HARMONY
  Client Logon ID: (0x0,0x1BF58)
  Accesses Write Property

  Privileges -

 Properties:
Create Child
Control Access
  Public Information
   servicePrincipalName
Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 5/22/2002
Time: 4:50:27 PM
User: HARMONY\TGCS-PHI1-NT$
Computer: TGCS-PHI4-NT
Description:
Object Open:
  Object Server: DS
  Object Type: computer
  Object Name: CN=TGCS-PHI1-NT,CN=Computers,DC=Harmony,DC=com
  New Handle ID: -
  Operation ID: {0,114534}
  Process ID: 260
  Primary User Name: TGCS-PHI4-NT$
  Primary Domain: HARMONY
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: TGCS-PHI1-NT$
  Client Domain: HARMONY
  Client Logon ID: (0x0,0x1BF58)
  Accesses Write Property

  Privileges -

 Properties:
Create Child
Control Access
  Public Information
   servicePrincipalName

 Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 5/22/2002
Time: 4:53:56 PM
User: HARMONY\TGCS-PHI5-NT$
Computer: TGCS-PHI4-NT
Description:
Object Open:
  Object Server: DS
  Object Type: rpcServer
  Object Name: CN=RpcServices,CN=System,DC=Harmony,DC=com
  New Handle ID: -
  Operation ID: {0,118855}
  Process ID: 260
  Primary User Name: TGCS-PHI4-NT$
  Primary Domain: HARMONY
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: TGCS-PHI5-NT$
  Client Domain: HARMONY
  Client Logon ID: (0x0,0x1D03E)
  Accesses Create Child

  Privileges -

 Properties:

Any ideas or thoughts?

Microsoft wants me to open another issue on this for another $245. They are
the ones who told me to demote my dc and move it over to my other domain.
What a joke. I can not find any q articles or tech notes that explain any
security failures.

Only on this newsgroup my we find someone who can answer our problems.

Thanks

Tom

"Tom Finlay" <tom.finlay@rollcagetech.com> wrote in message
news:66cf01c201d4$33f7af40$9be62ecf@tkmsftngxa03...
> Hey Erick,
>
> I spent numerous hours trying various things to find out
> what object corresponds to this GUID and I cannot seem to
> find any object that associated with this particular GUID.
> I am beggining to think that this object does not exist
> and that this is my reason for continually geting this
> error message. What do you think?
>
> >-----Original Message-----
> >Hey Tom,
> >
> >This is failure event 565, correct?
> >
> >What object corresponds to the following GUID: {ae85ca08-
> d8b0-40ec-8f44-
> >396337cc0318} ?
> >
> >What process corresponds to PID 292?
> >
> >Thanks,
> >
> >Eric
> >
> >--
> >Eric Fitzgerald
> >Program Manager, Windows Auditing and Intrusion Detection
> >Microsoft Corporation
> >
> >
> >"Tom Finlay" <tom.finlay@rollcagetech.com> wrote in
> message
> >news:51a301c2001f$7a5aea80$9ae62ecf@tkmsftngxa02...
> >>
> >> >-----Original Message-----
> >> >Please post the entire text of the event.
> >> >
> >> >--
> >> >Eric Fitzgerald
> >> >Program Manager, Windows Auditing and Intrusion
> Detection
> >> >Microsoft Corporation
> >> >
> >> >
> >> >"Tom Finlay" <tom.finlay@rollcagetech.com> wrote in
> >> message
> >> >news:3bd001c1fc32$162396c0$9be62ecf@tkmsftngxa03...
> >> >> Domain controller 01 generates a failure audit in
> >> security
> >> >> log, event ID 565, Directory service access, repeated
> >> >> failure every 30 minutes
> >> >>
> >> >> Primary User Name DC01
> >> >> Client User Name DC02
> >> >> Access Read Property
> >> >
> >> >
> >> >.Object Open:
> >> Object Server: DS
> >> Object Type: container
> >> Object Name: %{ae85ca08-d8b0-40ec-8f44-
> >> 396337cc0318}
> >> New Handle ID: -
> >> Operation ID: {0,164179407}
> >> Process ID: 292
> >> Primary User Name: XXXX-XXXX-DC01$
> >> Primary Domain: ROLLCAGETECH
> >> Primary Logon ID: (0x0,0x3E7)
> >> Client User Name: XXXX-XXXX-DC02$
> >> Client Domain: XXXXXXXXXXX
> >> Client Logon ID: (0x0,0x9B53C73)
> >> Accesses Read Property
> >>
> >> Privileges -
> >>
> >> Properties:
> >> READ_CONTROL
> >> WRITE_DAC
> >> SYNCHRONIZE
> >> Create Child
> >> List Contents
> >> Read Property
> >> Write Property
> >> %{00000000-0000-0000-0000-000000000000}
> >> SYNCHRONIZE
> >> List Contents
> >> Read Property
> >> Write Property
> >> uSNChanged
> >>
> >> >
> >
> >
> >.
> >

Relevant Pages

  • Auditing Access to files??
    ... Within about 10 minutes I will get 8000 + entries in the Security ... Object Server: Security ... Primary Logon ID: ... Client User Name: - ...
    (microsoft.public.win2000.security)
  • Re: SAM events
    ... When you enable auditing of object access, a lot of system access events are ... > Object Server: Security Account Manager ... > Primary Logon ID: ... > Client User Name: SERVER$ ...
    (microsoft.public.win2000.security)
  • Re: Why does this keep happening...
    ... here's what's showing up in my security log in the event ... Object Server: Security ... Primary Logon ID: ... Client User Name: - ...
    (microsoft.public.inetserver.iis.security)
  • Security Event 565
    ... I keep getting this error in my PDC security event logs. ... is my exchange 2003 server. ... Primary Logon ID: ... Client Domain: CENTRAL_ADMIN ...
    (microsoft.public.exchange2000.general)
  • Event ID 565
    ... I keep getting this error in my PDC security event logs. ... is my exchange 2003 server. ... Primary Logon ID: ... Client Domain: CENTRAL_ADMIN ...
    (microsoft.public.windows.server.security)