thelink12
asked on
Event ID 565 Failure Audit. WHAT DOES IT MEAN?
Exchange 2003, Cluster of 2 servers running 2003 Server. I am getting some Failure Audits in the Event Log that dont make much sense. The event ID is 565. Lets say I have Jim, Mark, and Zach. I will see these failure audits from Jim on Jim's account. Same for Mark and Zach. What I found is that I have seen these same audits only they were on Mark and Zach's account but they were caused by Jim. I could recreate the audit if I tried to open another persons mailbox so I thought that Jim might be trying to read other people's mail. He tells me that they were probably caused by Meeting Requests that he sent out and surprisingly they match up. But then I found some more of these audits only they dont match up with any Meeting Requests. Here is an example of an audit I have seen.
6/28/2006 8:26:23 AM Failure Audit Security SERVER01
Object Open:
Object Server: Microsoft Exchange
Object Type: Microsoft Exchange Logon
Object Name: /o=Exchange2003/ou=First Administrative Group/cn=Recipients/cn=ZAC
Handle ID: -
Operation ID: {1,1835013326}
Process ID: 5240
Process Name: C:\Program Files\Exchsrvr\bin\store.e
Primary User Name: APCLUS01$
Primary Domain: OPNT
Primary Logon ID: (0x0,0x3E7)
Client User Name: JIM
Client Domain: Domain
Client Logon ID: (0x1,0x6CEB0ED9)
Accesses: Unknown specific access (bit 8)
Privileges: -
Properties:
---
%{ab721a54-1e2f-11d0-9819-
%{bf967aba-0de6-11d0-a285-
Access Mask: 0
To me it looks like Jim is trying to access Zach's account but there is no definitive statement to this effect. Any help would be great.
6/28/2006 8:26:23 AM Failure Audit Security SERVER01
Object Open:
Object Server: Microsoft Exchange
Object Type: Microsoft Exchange Logon
Object Name: /o=Exchange2003/ou=First Administrative Group/cn=Recipients/cn=ZAC
Handle ID: -
Operation ID: {1,1835013326}
Process ID: 5240
Process Name: C:\Program Files\Exchsrvr\bin\store.e
Primary User Name: APCLUS01$
Primary Domain: OPNT
Primary Logon ID: (0x0,0x3E7)
Client User Name: JIM
Client Domain: Domain
Client Logon ID: (0x1,0x6CEB0ED9)
Accesses: Unknown specific access (bit 8)
Privileges: -
Properties:
---
%{ab721a54-1e2f-11d0-9819-
%{bf967aba-0de6-11d0-a285-
Access Mask: 0
To me it looks like Jim is trying to access Zach's account but there is no definitive statement to this effect. Any help would be great.
ASKER
That is how I reproduced the event, using file>open... I got the 565 Event when I tried to open a mailbox I was not allowed to.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I spent over 4 hours on the phone with Microsoft and they are saying its a known issue\Bug in Windows and will be taken care of in the next SP. I will split the points. Thanks for the help.
Is there an Event Log Error number associated with that log?