Event ID 562 and 565

Discussion in 'Windows Server' started by melu, Jul 2, 2008.

  1. melu

    melu Guest

    Hi,

    I have this on the security log of the exchange server:

    Event ID 565

    Object Open:
    Object Server: Microsoft Exchange
    Object Type: Microsoft Exchange Database
    Object
    Name: /DC=ca/DC=DomainName/CN=Configuration/CN=Services/CN=Microsoft
    Exchange/CN= /CN=Administrative Groups/CN=First Administrative
    Group/CN=Servers/CN=EX1
    Handle ID: 0
    Operation ID: {1,2898073581}
    Process ID: 4944
    Process Name: C:\Program Files\Exchsrvr\bin\store.exe
    Primary User Name: EX1$
    Primary Domain: PARKINSON
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: EX1$
    Client Domain: DomainName
    Client Logon ID: (0x0,0x5D092)
    Accesses: Unknown specific access (bit 8)

    Privileges: -

    Properties:
    ---
    %{a8df74ba-c5ea-11d1-bbcb-0080c76670c0}
    Unknown specific access (bit 8)
    %{d74a8762-22b9-11d3-aa62-00c04f8eedd8}
    %{d74a8774-2289-11d3-aa62-00c04f8eedd8}
    %{cf899a6a-afe6-11d2-aa04-00c04f8eedd8}
    %{cffe6da4-afe6-11d2-aa04-00c04f8eedd8}
    %{cfc7978e-afe6-11d2-aa04-00c04f8eedd8}
    %{d03a086e-afe6-11d2-aa04-00c04f8eedd8}
    %{d0780592-afe6-11d2-aa04-00c04f8eedd8}
    %{d74a875e-22b9-11d3-aa62-00c04f8eedd8}
    %{cf4b9d46-afe6-11d2-aa04-00c04f8eedd8}
    %{cf0b3dc8-afe6-11d2-aa04-00c04f8eedd8}
    %{d74a8766-22b9-11d3-aa62-00c04f8eedd8}
    %{d74a8769-22b9-11d3-aa62-00c04f8eedd8}
    %{d74a876f-22b9-11d3-aa62-00c04f8eedd8}

    Access Mask: 0


    and


    Event ID 562


    Handle Closed:
    Object Server: Microsoft Exchange
    Handle ID: 568129248
    Process ID: 4944
    Image File Name: C:\Program Files\Exchsrvr\bin\store.exe


    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.


    The log is full of this two events. We also have a usershared folder on that
    drive which hosts the exchange database which has auditing enabled. I have
    just disabled it.

    Could it be causing this problem. Also I noticed that the security log on
    the domain controllers has many entries with the events 538, 576, 540 from
    the exchange server.

    Thx
     
    melu, Jul 2, 2008
    #1
    1. Advertisements

  2. Hello MeLu,

    See here:
    http://support.microsoft.com/kb/841001

    All events are SUCCESS AUDIT entries, so no problem. You get them, because
    security auditing is enabled in your GPO's in the domain or only on the exchange
    server, so check them and choose the options you like to have.

    Computer configuration, windows settings, security settings, local policies,
    Audit policy, in the right pane you find your options.

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Jul 2, 2008
    #2
    1. Advertisements

  3. melu

    melu Guest

    Hi Meinolf,

    You are right. Its the GPO in the domain. My question is that the GPO has
    been around for ages - what triggered this all of sudden. As I have done
    nothing to change this.

    Any idea?

    Thanks
     
    melu, Jul 3, 2008
    #3
  4. Hello MeLu,

    In which GPO did you find it and what OS are you using?

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Jul 3, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.