Re: Event ID 565

From: Kal Tire (Jeff_Bevans@removethis.kaltire.com)
Date: 05/24/02

• Next message: Bill Belliveau: "Re: Y2K hosting server"
• Previous message: Sergio Dutra [MS]: "Re: certificates of trusted CA"
• In reply to: Tom Grassi: "Re: Event ID 565"
• Next in thread: Kevin Koenig: "Re: Event ID 565"
• Reply: Kevin Koenig: "Re: Event ID 565"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Kal Tire" <Jeff_Bevans@removethis.kaltire.com>
Date: Fri, 24 May 2002 08:52:36 -0700

I am having the same problem as well. My errorr messges are being logged on
the DC that is the PDC FSMO. The user is the computer that is my Exchange
2000 server. Here is one of the logged events:

Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 24/05/2002
Time: 8:39:57 AM
User: XXXXXXX\GANDALF$ - this is the exchange server
Computer: AVALON - DC that is PDC FSMO
Description:
Object Open:
  Object Server: DS
  Object Type: configuration
  Object Name: CN=Configuration,DC=XXXXXX,DC=com
  New Handle ID: -
  Operation ID: {0,4906109}
  Process ID: 292
  Primary User Name: AVALON$
  Primary Domain: XXXXX
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: GANDALF$
  Client Domain: XXXXX
  Client Logon ID: (0x0,0x4ADC71)
  Accesses Control Access

  Privileges -

 Properties:
READ_CONTROL
Create Child
Delete Child
List Contents
Write Self
Delete Tree
  Manage Replication Topology

The process 292 is LSASS.exe

"Tom Grassi" <tom@tgcsnet.com> wrote in message
news:OYxibUgACHA.2172@tkmsftngp04...
> Eric
>
> I am getting s similar event: It only happens at system startup of a
member
> server that was a DC. I recently demoted it to a member server.
>
> Here are my event 565 messages.
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Directory Service Access
> Event ID: 565
> Date: 5/22/2002
> Time: 4:50:26 PM
> User: HARMONY\TGCS-PHI1-NT$
> Computer: TGCS-PHI4-NT
> Description:
> Object Open:
> Object Server: DS
> Object Type: computer
> Object Name: CN=TGCS-PHI1-NT,CN=Computers,DC=Harmony,DC=com
> New Handle ID: -
> Operation ID: {0,114446}
> Process ID: 260
> Primary User Name: TGCS-PHI4-NT$
> Primary Domain: HARMONY
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: TGCS-PHI1-NT$
> Client Domain: HARMONY
> Client Logon ID: (0x0,0x1BF02)
> Accesses Write Property
>
> Privileges -
>
> Properties:
> Create Child
> Control Access
> Public Information
> servicePrincipalName
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Directory Service Access
> Event ID: 565
> Date: 5/22/2002
> Time: 4:50:26 PM
> User: HARMONY\TGCS-PHI1-NT$
> Computer: TGCS-PHI4-NT
> Description:
> Object Open:
> Object Server: DS
> Object Type: computer
> Object Name: CN=TGCS-PHI1-NT,CN=Computers,DC=Harmony,DC=com
> New Handle ID: -
> Operation ID: {0,114448}
> Process ID: 260
> Primary User Name: TGCS-PHI4-NT$
> Primary Domain: HARMONY
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: TGCS-PHI1-NT$
> Client Domain: HARMONY
> Client Logon ID: (0x0,0x1BF02)
> Accesses Write Property
>
> Privileges -
>
> Properties:
> Create Child
> Control Access
> Public Information
> servicePrincipalName
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Directory Service Access
> Event ID: 565
> Date: 5/22/2002
> Time: 4:50:27 PM
> User: HARMONY\TGCS-PHI1-NT$
> Computer: TGCS-PHI4-NT
> Description:
> Object Open:
> Object Server: DS
> Object Type: computer
> Object Name: CN=TGCS-PHI1-NT,CN=Computers,DC=Harmony,DC=com
> New Handle ID: -
> Operation ID: {0,114532}
> Process ID: 260
> Primary User Name: TGCS-PHI4-NT$
> Primary Domain: HARMONY
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: TGCS-PHI1-NT$
> Client Domain: HARMONY
> Client Logon ID: (0x0,0x1BF58)
> Accesses Write Property
>
> Privileges -
>
> Properties:
> Create Child
> Control Access
> Public Information
> servicePrincipalName
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Directory Service Access
> Event ID: 565
> Date: 5/22/2002
> Time: 4:50:27 PM
> User: HARMONY\TGCS-PHI1-NT$
> Computer: TGCS-PHI4-NT
> Description:
> Object Open:
> Object Server: DS
> Object Type: computer
> Object Name: CN=TGCS-PHI1-NT,CN=Computers,DC=Harmony,DC=com
> New Handle ID: -
> Operation ID: {0,114534}
> Process ID: 260
> Primary User Name: TGCS-PHI4-NT$
> Primary Domain: HARMONY
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: TGCS-PHI1-NT$
> Client Domain: HARMONY
> Client Logon ID: (0x0,0x1BF58)
> Accesses Write Property
>
> Privileges -
>
> Properties:
> Create Child
> Control Access
> Public Information
> servicePrincipalName
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Directory Service Access
> Event ID: 565
> Date: 5/22/2002
> Time: 4:53:56 PM
> User: HARMONY\TGCS-PHI5-NT$
> Computer: TGCS-PHI4-NT
> Description:
> Object Open:
> Object Server: DS
> Object Type: rpcServer
> Object Name: CN=RpcServices,CN=System,DC=Harmony,DC=com
> New Handle ID: -
> Operation ID: {0,118855}
> Process ID: 260
> Primary User Name: TGCS-PHI4-NT$
> Primary Domain: HARMONY
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: TGCS-PHI5-NT$
> Client Domain: HARMONY
> Client Logon ID: (0x0,0x1D03E)
> Accesses Create Child
>
> Privileges -
>
> Properties:
>
>
> Any ideas or thoughts?
>
> Microsoft wants me to open another issue on this for another $245. They
are
> the ones who told me to demote my dc and move it over to my other domain.
> What a joke. I can not find any q articles or tech notes that explain any
> security failures.
>
> Only on this newsgroup my we find someone who can answer our problems.
>
> Thanks
>
> Tom
>
>
>
>
> "Tom Finlay" <tom.finlay@rollcagetech.com> wrote in message
> news:66cf01c201d4$33f7af40$9be62ecf@tkmsftngxa03...
> > Hey Erick,
> >
> > I spent numerous hours trying various things to find out
> > what object corresponds to this GUID and I cannot seem to
> > find any object that associated with this particular GUID.
> > I am beggining to think that this object does not exist
> > and that this is my reason for continually geting this
> > error message. What do you think?
> >
> > >-----Original Message-----
> > >Hey Tom,
> > >
> > >This is failure event 565, correct?
> > >
> > >What object corresponds to the following GUID: {ae85ca08-
> > d8b0-40ec-8f44-
> > >396337cc0318} ?
> > >
> > >What process corresponds to PID 292?
> > >
> > >Thanks,
> > >
> > >Eric
> > >
> > >--
> > >Eric Fitzgerald
> > >Program Manager, Windows Auditing and Intrusion Detection
> > >Microsoft Corporation
> > >
> > >
> > >"Tom Finlay" <tom.finlay@rollcagetech.com> wrote in
> > message
> > >news:51a301c2001f$7a5aea80$9ae62ecf@tkmsftngxa02...
> > >>
> > >> >-----Original Message-----
> > >> >Please post the entire text of the event.
> > >> >
> > >> >--
> > >> >Eric Fitzgerald
> > >> >Program Manager, Windows Auditing and Intrusion
> > Detection
> > >> >Microsoft Corporation
> > >> >
> > >> >
> > >> >"Tom Finlay" <tom.finlay@rollcagetech.com> wrote in
> > >> message
> > >> >news:3bd001c1fc32$162396c0$9be62ecf@tkmsftngxa03...
> > >> >> Domain controller 01 generates a failure audit in
> > >> security
> > >> >> log, event ID 565, Directory service access, repeated
> > >> >> failure every 30 minutes
> > >> >>
> > >> >> Primary User Name DC01
> > >> >> Client User Name DC02
> > >> >> Access Read Property
> > >> >
> > >> >
> > >> >.Object Open:
> > >> Object Server: DS
> > >> Object Type: container
> > >> Object Name: %{ae85ca08-d8b0-40ec-8f44-
> > >> 396337cc0318}
> > >> New Handle ID: -
> > >> Operation ID: {0,164179407}
> > >> Process ID: 292
> > >> Primary User Name: XXXX-XXXX-DC01$
> > >> Primary Domain: ROLLCAGETECH
> > >> Primary Logon ID: (0x0,0x3E7)
> > >> Client User Name: XXXX-XXXX-DC02$
> > >> Client Domain: XXXXXXXXXXX
> > >> Client Logon ID: (0x0,0x9B53C73)
> > >> Accesses Read Property
> > >>
> > >> Privileges -
> > >>
> > >> Properties:
> > >> READ_CONTROL
> > >> WRITE_DAC
> > >> SYNCHRONIZE
> > >> Create Child
> > >> List Contents
> > >> Read Property
> > >> Write Property
> > >> %{00000000-0000-0000-0000-000000000000}
> > >> SYNCHRONIZE
> > >> List Contents
> > >> Read Property
> > >> Write Property
> > >> uSNChanged
> > >>
> > >> >
> > >
> > >
> > >.
> > >
>
>

---

• Next message: Bill Belliveau: "Re: Y2K hosting server"
• Previous message: Sergio Dutra [MS]: "Re: certificates of trusted CA"
• In reply to: Tom Grassi: "Re: Event ID 565"
• Next in thread: Kevin Koenig: "Re: Event ID 565"
• Reply: Kevin Koenig: "Re: Event ID 565"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Event ID 565 ... > Client User Name: GANDALF$ ... >> Event Type: Failure Audit ... >> Event Category: Directory Service Access ... >> Primary Logon ID: ... (microsoft.public.win2000.security) Re: Directory Service Access Security Failure 565 with Object=GUID ... > Event Type: Failure Audit ... > Primary Logon ID: ... > Client User Name: EXCHANGESERVER$ ... > SYNCHRONIZE ... (microsoft.public.win2000.security) failure audit - directory service acces - event id 565 ... Event Type: Failure Audit ... Event Category: Directory Service Access ... Client User Name: EXCHANGE1$ ... misc patches). ... (microsoft.public.win2000.security) Re: Exchange 565 errors on many users ... Event Type: Failure Audit ... Primary Logon ID: ... Client Domain: FTC ... Unknown specific access ... (microsoft.public.exchange.admin) Re: Audit Failures/READ_CONTROL SYNCHRONIZE ... The 560 object access event does not record what actions were performed on ... it records what accesses were requested to the file. ... > Primary Logon ID: ... > Client User Name: - ... (comp.os.ms-windows.nt.admin.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)