Microsoft KB Archive/836419

= Your auditing logs may contain incorrect auditing event details for event 565 and event 560 =

Article ID: 836419

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition

-





SYMPTOMS
Auditing event details may be reported incorrectly in your auditing logs. This symptom may occur in one or both of the following ways:   The access bit is not decoded and insertion strings are displayed in event 565 for the SAM Server object: Event Type: Success Audit

Event Source: Security

Event Category: Directory Service Access

Event ID: 565

Description:

Object Open:

Object Server: Security Account Manager

Object Type: SAM_SERVER

Object Name: CN=Server,CN=System,DC=< >

Handle ID: 357683232

Operation ID: {0,19736110}

Process ID: 780

Process Name: C:\WINDOWS\system32\lsass.exe

Primary User Name:

Primary Domain:

Primary Logon ID: (0x0,0x3E7)

Client User Name:

Client Domain:

Client Logon ID: (0x0,0x12CEAE5)

Accesses READ_CONTROL

InitializeServer

EnumerateDomains

Undefined Access (no effect) Bit 7

Privileges -

Properties:

---

%{bf967aad-0de6-11d0-a285-00aa003049e2}

00x20094%20%21%22%23%24%25%26

--

Note The problem is noted on the &quot;Undefined Access (no effect) Bit 7&quot; line of this event.  Event 565 reports that handles are opened in the Directory Service Access category. However, event 560 reports that these handles are closed in the Object Access category. The following list includes samples of the event 565 report and the event 560 report.   Event 565: Event Type: Success Audit

Event Source: Security

Event Category: Directory Service Access

Event ID: 565

Description:

Object Open:

Object Server: Security Account Manager

Object Type: SAM_USER

Object Name: 

Handle ID: 357684048

Operation ID: {0,19736100}

Process ID: 780

Process Name: C:\WINDOWS\system32\lsass.exe

Primary User Name: < >

Primary Domain: < >

Primary Logon ID: (0x0,0x3E7)

Client User Name: < >

Client Domain: < >

Client Logon ID: (0x0,0x12CEAE5)

Accesses:   Event 560 where the matching handle close event has a different category than Event 565: Event Type: Success Audit

Event Source: Security

Event Category: Object Access

Event ID: 562

Description: Handle Closed:

Object Server: Security Account Manager

Handle ID: 357684048

Process ID: 780

Image File Name: C:\WINDOWS\system32\lsass.exe  



CAUSE
This problem may occur if the following conditions are true:
 * You turn on auditing for the Object Access category and the Directory Service Access category.
 * The default System Access Control List (ACL) is configured on the affected objects.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbaudit kbnofix kbprb kbbug KB836419

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.