Event ID 565

Posted on 2005-05-09
Last Modified: 2013-12-04
I have seen quite a few questions about event id 565.  I too am having an issue, but can't make sense of anything I've seen on-line.

My boss (of all people) is generating event id 565 on our exchange server 2000.  His AD user account is getting locked out as well (as a result?).  

What it looks like to me is exchange is sending the wrong password back to AD (or vice-versa), but I can't be sure.  As usual, nothing that we know has been changed w/ any security on either exchange or AD with regards to this persons account.

Here is the log file from the event:

Object Open:
       Object Server:      Microsoft Exchange
       Object Type:      Microsoft Exchange Logon
       New Handle ID:      -
       Operation ID:      {0,158189962}
       Process ID:      2564
       Primary User Name:      MEREDITHEXCH$
       Primary Domain:      MVS
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      stucker
       Client Domain:      MVS
       Client Logon ID:      (0x0,0x96DC966)
       Accesses            Unknown specific access (bit 8)
       Privileges            -

Unknown specific access (bit 5)
Unknown specific access (bit 6)
Unknown specific access (bit 10)
Unknown specific access (bit 11)
Unknown specific access (bit 14)


Question by:dklock66
    LVL 18

    Expert Comment

    LVL 18

    Expert Comment

    It does seem that this is a security issue, it may be a simple as turning off auditing if it is on....see:
    LVL 38

    Expert Comment

    by:Rich Rumble;en-us;836419

    There are viri that try to use bruteforce on accounts and will lock your users out, be sure to scan all machines with the latest DAT's to rule this possibilitiy out. If using XP or winME, turn off system restore BEFORE removing a virus or even spyware.


    Author Comment

    I have read kb 314294 and think the answer might lie within.  I guess the most irritating part of this problem is the fact that the AD account is getting locked out - repeatedly all day!!!  Why???

    I was thinking of exporting the entire mailbox, deleting the user and mailbox, then recreating the user w/ a new mailbox.  

    I want to get this one of my back ASAP!
    LVL 18

    Expert Comment

    Recreating user and mailbox might do the can export the user's entire mailbox contents to a .pst, then import it back into the new mailbox.

    Expert Comment

    Could be that his profile is corrupt. Try deleting the boss' local profile by logging into the boss' machine as an administrator, then right clicking my computer->properties->advanced->user profiles settings and then deleting his profile.  If this fails try blowing his profile away completely (after backing up his files of course) by deleting the nt directory in the users network drive.

    I can't say if this is related to Exchange or not, but when our accounts continuously lock out then doing one of the above fixes it.

    Author Comment

    we are currently looking at replication errors.  when I find something more I will let you know.

    Author Comment

    Problem solved:

    user (Boss) had an active terminal session (55 days old - that has been rectified) on a server.  He had since changed his password which caused the live terminal session to lock him out.

    Thanks for the ideas and assistance!
    LVL 18

    Expert Comment

    Good catch!!  How did you track it down?   Since you found the solution yourself, you can post a link to this question in the Community Support TA and ask for a points refund.

    This is a great solution to add to the EE PAQ.....really goes to show that you have to consider everything in trouble-shooting.
    Again, congrats ......your eye-dee-ten-tee boss should give you a raise for this one.  Hope you have taught him how to properly log out os a TS session!

    Author Comment


    gotta be honest and everyone might get a kick ... I didn't solve this myself.  

    It took Microsoft Tech Support FIVE hours to figure this out.

    I don't know that I'll get a raise ... it cost about $1000 per mouse click :-(

    As a lesson well learned ... when a vendor installs a server running terminal services, one must check the session parameters and not assume the vendor did the right thing by limiting inactive sessions.  Won't happen to me again.
    LVL 1

    Accepted Solution

    PAQed with points (250) refunded

    Community Support Moderator
    LVL 2

    Expert Comment

    is it possible that you can tell us what the solution was?

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    iPhone Apps - Security and other risks 4 66
    Jailbreak and Rooting on mobile devices 10 71
    Is this error real? 2 32
    deny local logon 12 35
    Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now