failure audit event 565 driving me crazy - reward offered

From: Thomas McLeod (thomas03_at_mcleodsoft.net.nospam)
Date: 05/27/03 

Date: Mon, 26 May 2003 20:43:30 -0400

To the first person that tells me exactly what's happening here I will send
a $5 gift certification for Ben & Jerry's Ice Cream.

Ready?

After being hacked, we recently turned on auditing for Directory Service
Access. Now every few minutes I get these Event Id 565 logs on our domain
controller (MCLEOD01$) by our Exchange server (SEQUOIA$) computer account:

Object Open:
Object Server: DS
Object Type: container
Object Name: %{3238f9ac-e713-4af0-81f2-c09ebfc148df}
New Handle ID: -
Operation ID: {0,4163737}
Process ID: 244
Primary User Name: MCLEOD01$
Primary Domain: MSD
Primary Logon ID: (0x0,0x3E7)
Client User Name: SEQUOIA$
Client Domain: MSD
Client Logon ID: (0x0,0x3E5A4B)
Accesses Read Property

Privileges -
Properties:
SYNCHRONIZE
ACCESS_SYS_SEC
Write Self
%%7692
%%7695
%{00000000-0000-0000-0000-000000000000}
READ_CONTROL
WRITE_DAC
Create Child
List Contents
Write Property
Delete Tree
uSNChanged

I have looked everywhere for an ojbect named
%{3238f9ac-e713-4af0-81f2-c09ebfc148df} and can't find one. (No, it's not a
GUID of anything in Active Directory). I was able to discovery through much
trial and error that setting the Recipient Update Services in Exchange to
"Never Run" eliminates the log entries. But I can't shut these down
permanently.

Thought Questions:

1. what is object %{3238f9ac-e713-4af0-81f2-c09ebfc148df} ?

2. what does the % mean in front of the GUID ?

3. what are %%7692 and %%7695 ?

Any Information would be helpful

Thomas McLeod
Montpelier, Vermont

Relevant Pages

  • Re: How to resolve GUID: %{771727b1-31b8-4cdf-ae62-4fe39fadf89e}
    ... This GUID is hard coded in the OS. ... > need to know the way to resolve this GUID from AD ... > Primary Logon ID: ... > Client User Name: Administrator ...
    (microsoft.public.windows.server.active_directory)
  • Re: Event ID 565
    ... Client User Name: GANDALF$ ... > Event Type: Failure Audit ... > Event Category: Directory Service Access ... > Primary Logon ID: ...
    (microsoft.public.win2000.security)
  • Re: Event ID 565
    ... > Client User Name: GANDALF$ ... >> Event Type: Failure Audit ... >> Event Category: Directory Service Access ... >> Primary Logon ID: ...
    (microsoft.public.win2000.security)
  • Re: Setting control value based on a SQL Select statement
    ... I don't understand what you mean by « So as an alternative I use a SQL ... Select statement where GUID = linked server GUID in the hope I can return ... The form is bound to a SQL view and the control is bound to a field ... Each time you select a client from the client combo box a GUID is ...
    (microsoft.public.access.adp.sqlserver)
  • Re: Data Warehousing
    ... Kevin Spencer's response is more eloquent than mine in explaining the guid ... the guid's used on the client side are just place holders so ... Since the server is assigning the guid's, ... The paradigm that I proposed treats each survey as "unprocessed" work and it ...
    (microsoft.public.dotnet.general)