Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Event ID 565 Failure Audit.  WHAT DOES IT MEAN?

Posted on 2006-06-29
4
Medium Priority
?
879 Views
Last Modified: 2008-01-09
Exchange 2003, Cluster of 2 servers running 2003 Server.  I am getting some Failure Audits in the Event Log that dont make much sense.  The event ID is 565.  Lets say I have Jim, Mark, and Zach.  I will see these failure audits from Jim on Jim's account.  Same for Mark and Zach.  What I found is that I have seen these same audits only they were on Mark and Zach's account but they were caused by Jim.  I could recreate the audit if I tried to open another persons mailbox so I thought that Jim might be trying to read other people's mail.  He tells me that they were probably caused by Meeting Requests that he sent out and surprisingly they match up.  But then I found some more of these audits only they dont match up with any Meeting Requests.  Here is an example of an audit I have seen.


6/28/2006 8:26:23 AM Failure Audit Security SERVER01
  Object Open:
Object Server: Microsoft Exchange
Object Type: Microsoft Exchange Logon
Object Name: /o=Exchange2003/ou=First Administrative Group/cn=Recipients/cn=ZACH
Handle ID: -
Operation ID: {1,1835013326}
Process ID: 5240
Process Name: C:\Program Files\Exchsrvr\bin\store.exe
Primary User Name: APCLUS01$
Primary Domain: OPNT
Primary Logon ID: (0x0,0x3E7)
Client User Name: JIM
Client Domain: Domain
Client Logon ID: (0x1,0x6CEB0ED9)
Accesses: Unknown specific access (bit 8)

Privileges: -

Properties:
---
%{ab721a54-1e2f-11d0-9819-00aa0040529b}
%{bf967aba-0de6-11d0-a285-00aa003049e2}

Access Mask: 0

To me it looks like Jim is trying to access Zach's account but there is no definitive statement to this effect.  Any help would be great.
0
Comment
Question by:thelink12
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 17009431
It appears that Jim is trying to open Zach's mailbox.  He may be going to File>Open>Other User's folder or he simply may have his mail client incorrectly configured.

Is there an Event Log Error number associated with that log?
0
 

Author Comment

by:thelink12
ID: 17009651
That is how I reproduced the event, using file>open...  I got the 565 Event when I tried to open a mailbox I was not allowed to.  
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 17009965
Ok, well that should be normal.  If you aren't delegated access by the user then it will log an access error.

As for Meeting requests causing this it's hard to say.  Meeting Requests should be a simple email, however, when the user responds to it then it should be updating the requestor's Calander with the the new attendee.  Perhaps the users have remove everyone's access to Calander or the permissions somehow are not set to default so the replies are being blocked via bad permissions.

0
 

Author Comment

by:thelink12
ID: 17030511
I spent over 4 hours on the phone with Microsoft and they are saying its a known issue\Bug in Windows and will be taken care of in the next SP.  I will split the points.  Thanks for the help.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question