Re: 565 Events
From: Eric Fitzgerald [MSFT] (ericf_at_online.microsoft.com)
Date: 05/07/03
- Next message: Eric Fitzgerald [MSFT]: "Re: Auditing changes in Regional Options"
- Previous message: Tech Iah: "Active Directory and Microsoft Certificate Services"
- In reply to: Peter Kaufman: "Re: 565 Events"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 6 May 2003 18:07:32 -0700
We added more information in Windows Server 2003 to see what process on the
machine was causing the logon request. Unfortunately that is not available
in Windows 2000 yet. With that information and process tracking we could
narrow it down, probably to a service.
Eric
--
Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"Peter Kaufman" <pmkdatabase@yahoo.ca> wrote in message
news:dci6bvo8v18lpbmot3h5re2071n0l88u33@4ax.com...
> Eric, sorry for the delay in responding. Yes, there is a machine
> account Philip (that is what I was trying to say), and it seems to
> have access to AD, etc. There are no problems encountered when using
> that computer. It's almost impossible to track actual unauthorized
> logon attempts with all this stuff in the log - that is the problem.
>
>
>
> On Mon, 28 Apr 2003 15:21:14 -0700, "Eric Fitzgerald [MSFT]"
> <ericf@online.microsoft.com> wrote:
>
> >Then there is also a machine named PHILIP, because PHILIP$ refers to a
> >machine account.
> >
> >Machine accounts, or at least the one in question, probably don't have
> >access to the object in question.
> >
> >Eric
> >
> >--
> >Eric Fitzgerald
> >Program Manager, Windows Auditing and Intrusion Detection
> >Microsoft Corporation
> >
> >This posting is provided "AS IS" with no warranties, and confers no
rights.
> >
> >"Peter K." <pmkdatabase@yahoo.ca> wrote in message
> >news:hpk6avsedqo6e9h5akjka3ulis6g165vtk@4ax.com...
> >> Hi,
> >>
> >> Any ideas on the cause/solution of these? I get them every now and
> >> then when logging on to a workstation. The logon is successful, but
> >> these events show up. The user name below (Philip) is the workstation
> >> name, not a human user.
> >>
> >> Thanks,
> >>
> >> Peter
> >>
> >> Event Type: Failure Audit
> >> Event Source: Security
> >> Event Category: Directory Service Access
> >> Event ID: 565
> >> Date: 4/21/2003
> >> Time: 8:24:08 AM
> >> User: JOM\PHILIP$
> >> Computer: PMCI-01
> >> Description:
> >> Object Open:
> >> Object Server: DS
> >> Object Type: container
> >> Object Name: %{cdd69897-5971-448b-8a98-68e1e68bf28b}
> >> New Handle ID: -
> >> Operation ID: {0,25815628}
> >> Process ID: 268
> >> Primary User Name: PMCI-01$
> >> Primary Domain: JOM
> >> Primary Logon ID: (0x0,0x3E7)
> >> Client User Name: PHILIP$
> >> Client Domain: JOM
> >> Client Logon ID: (0x0,0x189EA3F)
> >> Accesses List Contents
> >>
> >> Privileges -
> >>
> >> Properties:
> >>
> >
>
> Peter Kaufman MCP
- Next message: Eric Fitzgerald [MSFT]: "Re: Auditing changes in Regional Options"
- Previous message: Tech Iah: "Active Directory and Microsoft Certificate Services"
- In reply to: Peter Kaufman: "Re: 565 Events"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
