Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
Exchange
2000.active.directory
2000.admin
2000.announcements
2000.app.conversion
2000.applications
2000.clients
2000.clustering
2000.connectivity
2000.development
2000.documentation
2000.general
2000.information.store
2000.interop
2000.kms
2000.misc
2000.protocols
2000.realtime.collabo.
2000.setup
2000.transport
2000.win2000
admin
application.conversion
applications
clients
clustering
connectivity
design
development
misc
mobility
setup
tools
  
 
date: Wed, 2 Jul 2008 08:25:01 -0700,    group: microsoft.public.exchange.misc        back       


Event ID 562 and 565    
Hi,

I have this on the security log of the exchange server:

Event ID 565

Object Open:
Object Server: Microsoft Exchange
Object Type: Microsoft Exchange Database
Object
Name: /DC=ca/DC=DomainName/CN=Configuration/CN=Services/CN=Microsoft
Exchange/CN= /CN=Administrative Groups/CN=First Administrative
Group/CN=Servers/CN=EX1
Handle ID: 0
Operation ID: {1,2898073581}
Process ID: 4944
Process Name: C:\Program Files\Exchsrvr\bin\store.exe
Primary User Name: EX1$
Primary Domain: PARKINSON
Primary Logon ID: (0x0,0x3E7)
Client User Name: EX1$
Client Domain: DomainName
Client Logon ID: (0x0,0x5D092)
Accesses: Unknown specific access (bit 8)

Privileges: -

Properties:
---
%{a8df74ba-c5ea-11d1-bbcb-0080c76670c0}
Unknown specific access (bit 8)
%{d74a8762-22b9-11d3-aa62-00c04f8eedd8}
%{d74a8774-2289-11d3-aa62-00c04f8eedd8}
%{cf899a6a-afe6-11d2-aa04-00c04f8eedd8}
%{cffe6da4-afe6-11d2-aa04-00c04f8eedd8}
%{cfc7978e-afe6-11d2-aa04-00c04f8eedd8}
%{d03a086e-afe6-11d2-aa04-00c04f8eedd8}
%{d0780592-afe6-11d2-aa04-00c04f8eedd8}
%{d74a875e-22b9-11d3-aa62-00c04f8eedd8}
%{cf4b9d46-afe6-11d2-aa04-00c04f8eedd8}
%{cf0b3dc8-afe6-11d2-aa04-00c04f8eedd8}
%{d74a8766-22b9-11d3-aa62-00c04f8eedd8}
%{d74a8769-22b9-11d3-aa62-00c04f8eedd8}
%{d74a876f-22b9-11d3-aa62-00c04f8eedd8}

Access Mask: 0


and


Event ID 562


Handle Closed:
Object Server: Microsoft Exchange
Handle ID: 568129248
Process ID: 4944
Image File Name: C:\Program Files\Exchsrvr\bin\store.exe


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


The log is full of this two events. We also have a usershared folder on that
drive which hosts the exchange database which has auditing enabled. I have
just disabled it.

Could it be causing this problem. Also I noticed that the security log on
the domain controllers has many entries with the events 538, 576, 540 from
the exchange server.

Thx
date: Wed, 2 Jul 2008 08:25:01 -0700   author:   melu

Re: Event ID 562 and 565    
The account in question is the local system account of the Exchange server 
EX1.  This is the account the exchange services run under.

Bit 8 basicly means the account is logging onto a mailbox and does not have 
send as or owner rights.  This is normal for the system account when doing 
mailbox cleanup or movemailbox (or even a backup or av scan if they're 
running in the context of the system account and not a seperate service 
account)..

In the end, I'd say it's much ado about nothing and you have your logging 
turned up way too high.

John


"melu"  wrote in message 
news:5481CAC6-BA02-40EB-8851-AA8DF1B055CC@microsoft.com...
> Hi,
>
> I have this on the security log of the exchange server:
>
> Event ID 565
>
> Object Open:
> Object Server: Microsoft Exchange
> Object Type: Microsoft Exchange Database
> Object
> Name: /DC=ca/DC=DomainName/CN=Configuration/CN=Services/CN=Microsoft
> Exchange/CN= /CN=Administrative Groups/CN=First Administrative
> Group/CN=Servers/CN=EX1
> Handle ID: 0
> Operation ID: {1,2898073581}
> Process ID: 4944
> Process Name: C:\Program Files\Exchsrvr\bin\store.exe
> Primary User Name: EX1$
> Primary Domain: PARKINSON
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: EX1$
> Client Domain: DomainName
> Client Logon ID: (0x0,0x5D092)
> Accesses: Unknown specific access (bit 8)
>
> Privileges: -
>
> Properties:
> ---
> %{a8df74ba-c5ea-11d1-bbcb-0080c76670c0}
> Unknown specific access (bit 8)
> %{d74a8762-22b9-11d3-aa62-00c04f8eedd8}
> %{d74a8774-2289-11d3-aa62-00c04f8eedd8}
> %{cf899a6a-afe6-11d2-aa04-00c04f8eedd8}
> %{cffe6da4-afe6-11d2-aa04-00c04f8eedd8}
> %{cfc7978e-afe6-11d2-aa04-00c04f8eedd8}
> %{d03a086e-afe6-11d2-aa04-00c04f8eedd8}
> %{d0780592-afe6-11d2-aa04-00c04f8eedd8}
> %{d74a875e-22b9-11d3-aa62-00c04f8eedd8}
> %{cf4b9d46-afe6-11d2-aa04-00c04f8eedd8}
> %{cf0b3dc8-afe6-11d2-aa04-00c04f8eedd8}
> %{d74a8766-22b9-11d3-aa62-00c04f8eedd8}
> %{d74a8769-22b9-11d3-aa62-00c04f8eedd8}
> %{d74a876f-22b9-11d3-aa62-00c04f8eedd8}
>
> Access Mask: 0
>
>
> and
>
>
> Event ID 562
>
>
> Handle Closed:
> Object Server: Microsoft Exchange
> Handle ID: 568129248
> Process ID: 4944
> Image File Name: C:\Program Files\Exchsrvr\bin\store.exe
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> The log is full of this two events. We also have a usershared folder on 
> that
> drive which hosts the exchange database which has auditing enabled. I have
> just disabled it.
>
> Could it be causing this problem. Also I noticed that the security log on
> the domain controllers has many entries with the events 538, 576, 540 from
> the exchange server.
>
> Thx
date: Wed, 2 Jul 2008 12:47:47 -0700   author:   John Fullbright fjohn@donotspamnetappdotcom

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us