Your auditing logs may contain incorrect auditing event details for event 565 and event 560 (836419)


The information in this article applies to:

  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition

SYMPTOMS

Auditing event details may be reported incorrectly in your auditing logs. This symptom may occur in one or both of the following ways:
  • The access bit is not decoded and insertion strings are displayed in event 565 for the SAM Server object:Event Type: Success Audit
    Event Source: Security
    Event Category: Directory Service Access
    Event ID: 565
    Description:
    Object Open:
    Object Server: Security Account Manager
    Object Type: SAM_SERVER
    Object Name: CN=Server,CN=System,DC=<domain_name>
    Handle ID: 357683232
    Operation ID: {0,19736110}
    Process ID: 780
    Process Name: C:\WINDOWS\system32\lsass.exe
    Primary User Name: user_name
    Primary Domain: domain_name
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: user_name
    Client Domain: domain_name
    Client Logon ID: (0x0,0x12CEAE5)
    Accesses READ_CONTROL
    InitializeServer
    EnumerateDomains
    Undefined Access (no effect) Bit 7
    Privileges -
    Properties:
    ---
    %{bf967aad-0de6-11d0-a285-00aa003049e2}
    00x20094%20%21%22%23%24%25%26
    --------------
    Note The problem is noted on the "Undefined Access (no effect) Bit 7" line of this event.
  • Event 565 reports that handles are opened in the Directory Service Access category. However, event 560 reports that these handles are closed in the Object Access category. The following list includes samples of the event 565 report and the event 560 report.
    • Event 565:Event Type: Success Audit
      Event Source: Security
      Event Category: Directory Service Access
      Event ID: 565
      Description:
      Object Open:
      Object Server: Security Account Manager
      Object Type: SAM_USER
      Object Name: <SID>
      Handle ID: 357684048
      Operation ID: {0,19736100}
      Process ID: 780
      Process Name: C:\WINDOWS\system32\lsass.exe
      Primary User Name: <user_name>
      Primary Domain: <domain_name>
      Primary Logon ID: (0x0,0x3E7)
      Client User Name: <user_name>
      Client Domain: <domain_name>
      Client Logon ID: (0x0,0x12CEAE5)
      Accesses:
    • Event 560 where the matching handle close event has a different category than Event 565:Event Type: Success Audit
      Event Source: Security
      Event Category: Object Access
      Event ID: 562
      Description: Handle Closed:
      Object Server: Security Account Manager
      Handle ID: 357684048
      Process ID: 780
      Image File Name: C:\WINDOWS\system32\lsass.exe

CAUSE

This problem may occur if the following conditions are true:
  • You turn on auditing for the Object Access category and the Directory Service Access category.
  • The default System Access Control List (ACL) is configured on the affected objects.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Modification Type:MajorLast Reviewed:7/2/2004
Keywords:kbAudit kbnofix kbprb kbBug KB836419 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.