Event ID - 565

Event Id565
DescriptionObject Open:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: <SID>
Handle ID: 357684048
Operation ID: {0,19736100}
Process ID: 780
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: <user_name>
Primary Domain: <domain_name>
Primary Logon ID: (0x0,0x3E7)
Client User Name: <user_name>
Client Domain: <domain_name>
Client Logon ID: (0x0,0x12CEAE5)
Event InformationAccording to Microsoft:
Cause :
An attempt was made to access a directory service object. Success or failure is indicated in the message. If access was successful, the listed accesses were requested and granted. If access failed, the listed accesses were requested but not granted.

1)The Process ID and Process Name fields specify the process that was used to make the request.
2)The Primary User fields specify the context (primary token) that the user used to access the process.
3)The Client User fields, if present, specify the user on whose behalf the request was made (the impersonated user).
Resolution :
No user action is required. "Resolution According To Microsoft:"
To prevent inadvertent denial of the SeSecurityPrivilege right to Exchange 2000 Enterprise servers, you can create a custom policy for domain controllers to implement the SeSecurityPrivilege right:

1. Start the Active Directory Users and Computers Microsoft Management Console (MMC).
2. Open the properties of the Domain Controllers container.
3. Click the Group Policy tab, and then click New. Name the new policy (for example, "DOMAIN_NAME Auditing Rights").
. This step is optional. This step makes the policy load faster. Right-click the new policy, click Properties, and then disable the User Configuration.
5. Click the new policy, and then click Edit. Expand Computer Configuration, expand Windows Settings, and then expand Security Settings. Expand Local Policies, expand User Rights Assignment, and then configure all of the accounts that require the SeSecurityPrivilege right.
IMPORTANT: All of the settings that you configure in this policy replace the same settings in other policies, instead of merging with them. Unconfigured options are still applied from other policies.
6. Set the new policy to a higher priority than the default domain controllers policy. If you do not do so, the policy has no effect because the default policy configures the same setting. .
Reference LinksEvent ID 565 from Source Security

Alternate Event ID in Vista and Windows Server 2008 is 4661.

SMS: Collection Evaluator May Cause Many Event ID 565 Events

Your auditing logs may contain incorrect auditing event details for event 565 and event 560

MOM May Not Display the Same Event Description as Event Viewer

Failure Audit Security Event ID Messages Are Logged When You Open a Mailbox That You Have Delegate Access To

Windows 2000 Security Event Descriptions (Part 1 of 2)

Security Events Do Not Specify Audited Actions

Directory Service Access Audits for a SAM Object Server Have Incomplete Object Names

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.