| Event Id | 565 |
| Source | Security |
| Description | Object Open: Object Server: Security Account Manager Object Type: SAM_USER Object Name: <SID> Handle ID: 357684048 Operation ID: {0,19736100} Process ID: 780 Process Name: C:\WINDOWS\system32\lsass.exe Primary User Name: <user_name> Primary Domain: <domain_name> Primary Logon ID: (0x0,0x3E7) Client User Name: <user_name> Client Domain: <domain_name> Client Logon ID: (0x0,0x12CEAE5) Accesses: |
| Event Information | According to Microsoft: Cause : An attempt was made to access a directory service object. Success or failure is indicated in the message. If access was successful, the listed accesses were requested and granted. If access failed, the listed accesses were requested but not granted. 1)The Process ID and Process Name fields specify the process that was used to make the request. 2)The Primary User fields specify the context (primary token) that the user used to access the process. 3)The Client User fields, if present, specify the user on whose behalf the request was made (the impersonated user). Resolution : No user action is required. "Resolution According To Microsoft:" To prevent inadvertent denial of the SeSecurityPrivilege right to Exchange 2000 Enterprise servers, you can create a custom policy for domain controllers to implement the SeSecurityPrivilege right: 1. Start the Active Directory Users and Computers Microsoft Management Console (MMC). 2. Open the properties of the Domain Controllers container. 3. Click the Group Policy tab, and then click New. Name the new policy (for example, "DOMAIN_NAME Auditing Rights"). . This step is optional. This step makes the policy load faster. Right-click the new policy, click Properties, and then disable the User Configuration. 5. Click the new policy, and then click Edit. Expand Computer Configuration, expand Windows Settings, and then expand Security Settings. Expand Local Policies, expand User Rights Assignment, and then configure all of the accounts that require the SeSecurityPrivilege right. IMPORTANT: All of the settings that you configure in this policy replace the same settings in other policies, instead of merging with them. Unconfigured options are still applied from other policies. 6. Set the new policy to a higher priority than the default domain controllers policy. If you do not do so, the policy has no effect because the default policy configures the same setting. . |
| Reference Links | Event ID 565 from Source Security Alternate Event ID in Vista and Windows Server 2008 is 4661. SMS: Collection Evaluator May Cause Many Event ID 565 Events Your auditing logs may contain incorrect auditing event details for event 565 and event 560 MOM May Not Display the Same Event Description as Event Viewer Failure Audit Security Event ID Messages Are Logged When You Open a Mailbox That You Have Delegate Access To Windows 2000 Security Event Descriptions (Part 1 of 2) Security Events Do Not Specify Audited Actions Directory Service Access Audits for a SAM Object Server Have Incomplete Object Names |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.