Event ID 562 and 565

  • Thread starter Thread starter melu
  • Start date Start date
M

melu

Guest
Hi,

I have this on the security log of the exchange server:

Event ID 565

Object Open:
Object Server: Microsoft Exchange
Object Type: Microsoft Exchange Database
Object
Name: /DC=ca/DC=DomainName/CN=Configuration/CN=Services/CN=Microsoft
Exchange/CN= /CN=Administrative Groups/CN=First Administrative
Group/CN=Servers/CN=EX1
Handle ID: 0
Operation ID: {1,2898073581}
Process ID: 4944
Process Name: C:\Program Files\Exchsrvr\bin\store.exe
Primary User Name: EX1$
Primary Domain: PARKINSON
Primary Logon ID: (0x0,0x3E7)
Client User Name: EX1$
Client Domain: DomainName
Client Logon ID: (0x0,0x5D092)
Accesses: Unknown specific access (bit 8)

Privileges: -

Properties:
---
%{a8df74ba-c5ea-11d1-bbcb-0080c76670c0}
Unknown specific access (bit 8)
%{d74a8762-22b9-11d3-aa62-00c04f8eedd8}
%{d74a8774-2289-11d3-aa62-00c04f8eedd8}
%{cf899a6a-afe6-11d2-aa04-00c04f8eedd8}
%{cffe6da4-afe6-11d2-aa04-00c04f8eedd8}
%{cfc7978e-afe6-11d2-aa04-00c04f8eedd8}
%{d03a086e-afe6-11d2-aa04-00c04f8eedd8}
%{d0780592-afe6-11d2-aa04-00c04f8eedd8}
%{d74a875e-22b9-11d3-aa62-00c04f8eedd8}
%{cf4b9d46-afe6-11d2-aa04-00c04f8eedd8}
%{cf0b3dc8-afe6-11d2-aa04-00c04f8eedd8}
%{d74a8766-22b9-11d3-aa62-00c04f8eedd8}
%{d74a8769-22b9-11d3-aa62-00c04f8eedd8}
%{d74a876f-22b9-11d3-aa62-00c04f8eedd8}

Access Mask: 0


and


Event ID 562


Handle Closed:
Object Server: Microsoft Exchange
Handle ID: 568129248
Process ID: 4944
Image File Name: C:\Program Files\Exchsrvr\bin\store.exe


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


The log is full of this two events. We also have a usershared folder on that
drive which hosts the exchange database which has auditing enabled. I have
just disabled it.

Could it be causing this problem. Also I noticed that the security log on
the domain controllers has many entries with the events 538, 576, 540 from
the exchange server.

Thx
 
Re: Event ID 562 and 565

Hello MeLu,

See here:
http://support.microsoft.com/kb/841001

All events are SUCCESS AUDIT entries, so no problem. You get them, because
security auditing is enabled in your GPO's in the domain or only on the exchange
server, so check them and choose the options you like to have.

Computer configuration, windows settings, security settings, local policies,
Audit policy, in the right pane you find your options.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi,
>
> I have this on the security log of the exchange server:
>
> Event ID 565
>
> Object Open:
> Object Server: Microsoft Exchange
> Object Type: Microsoft Exchange Database
> Object
> Name: /DC=ca/DC=DomainName/CN=Configuration/CN=Services/CN=Microsoft
> Exchange/CN= /CN=Administrative Groups/CN=First Administrative
> Group/CN=Servers/CN=EX1
> Handle ID: 0
> Operation ID: {1,2898073581}
> Process ID: 4944
> Process Name: C:\Program Files\Exchsrvr\bin\store.exe
> Primary User Name: EX1$
> Primary Domain: PARKINSON
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: EX1$
> Client Domain: DomainName
> Client Logon ID: (0x0,0x5D092)
> Accesses: Unknown specific access (bit 8)
> Privileges: -
>
> Properties:
> ---
> %{a8df74ba-c5ea-11d1-bbcb-0080c76670c0}
> Unknown specific access (bit 8)
> %{d74a8762-22b9-11d3-aa62-00c04f8eedd8}
> %{d74a8774-2289-11d3-aa62-00c04f8eedd8}
> %{cf899a6a-afe6-11d2-aa04-00c04f8eedd8}
> %{cffe6da4-afe6-11d2-aa04-00c04f8eedd8}
> %{cfc7978e-afe6-11d2-aa04-00c04f8eedd8}
> %{d03a086e-afe6-11d2-aa04-00c04f8eedd8}
> %{d0780592-afe6-11d2-aa04-00c04f8eedd8}
> %{d74a875e-22b9-11d3-aa62-00c04f8eedd8}
> %{cf4b9d46-afe6-11d2-aa04-00c04f8eedd8}
> %{cf0b3dc8-afe6-11d2-aa04-00c04f8eedd8}
> %{d74a8766-22b9-11d3-aa62-00c04f8eedd8}
> %{d74a8769-22b9-11d3-aa62-00c04f8eedd8}
> %{d74a876f-22b9-11d3-aa62-00c04f8eedd8}
> Access Mask: 0
>
> and
>
> Event ID 562
>
> Handle Closed:
> Object Server: Microsoft Exchange
> Handle ID: 568129248
> Process ID: 4944
> Image File Name: C:\Program Files\Exchsrvr\bin\store.exe
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> The log is full of this two events. We also have a usershared folder
> on that drive which hosts the exchange database which has auditing
> enabled. I have just disabled it.
>
> Could it be causing this problem. Also I noticed that the security log
> on the domain controllers has many entries with the events 538, 576,
> 540 from the exchange server.
>
> Thx
>
 
Re: Event ID 562 and 565

Hi Meinolf,

You are right. Its the GPO in the domain. My question is that the GPO has
been around for ages - what triggered this all of sudden. As I have done
nothing to change this.

Any idea?

Thanks
 
Re: Event ID 562 and 565

Hello MeLu,

In which GPO did you find it and what OS are you using?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi Meinolf,
>
> You are right. Its the GPO in the domain. My question is that the GPO
> has been around for ages - what triggered this all of sudden. As I
> have done nothing to change this.
>
> Any idea?
>
> Thanks
>
 

Similar threads

V
About exceptions and capturing them with dumps
Replies
0
Views
268
Viorel-Alexandru
V
J
Event 565 in Security Log
Replies
2
Views
141
James B
J
G
Need Help With Active Directory And Dns
Replies
0
Views
1,597
Gloppy
G
M
Server 2003 DC Security Log Event 565
Replies
1
Views
144
Tim Springston [MSFT]
T
M
Security Event Log exploding with 560/562 auditing entries
Replies
1
Views
130
Mark Z.
M
Back
Top