Directory Service Access Security Failure 565 with Object=GUID

[dprofancik]

These errors are starting to frustrate me, and I have not found anyone
with an answer. How can I find out what object it is talking about
when all it gives me is a GUID? Is it a deleted AD object? It seems
to log this when the RUS runs and possibly at other times.

Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: DATE
Time: TIME
User: DOMAIN\EXCHANGESERVER$
Computer: DOMAINCONTROLLER$
Description:
Object Open:
Object Server: DS
Object Type: container
Object Name: %{e5b0f464-608b-47a6-a173-a21e228f3d65}
New Handle ID: -
Operation ID: {0,35168820}
Process ID: 372
Primary User Name: DOMAINCONTROLLER$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: EXCHANGESERVER$
Client Domain: DOMAIN
Client Logon ID: (0x0,0x210502F)
Accesses Read Property

Privileges -

Properties:
DELETE
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
Delete Child
List Contents
Read Property
Write Property
%{00000000-0000-0000-0000-000000000000}
READ_CONTROL
SYNCHRONIZE
Read Property
Write Property
uSNChanged

Any ideas? Thanks in advance.

 

[Leif Pedersen [MVP]]

Hi,

This might help:
http://www.eventid.net/display.asp?eventid=565&eventno=868&source=Security&phase=1

Leif

 

[dprofancik]

I've already looked at www.eventid.net. I'm wondering about the line:
Object Name: %{e5b0f464-608b-47a6-a173-a21e­228f3d65}

I don't know how to find this object. Any ideas? Thanks.

 

[Chuck Chopp]

I've already looked at www.eventid.net. I'm wondering about the line:
Object Name: %{e5b0f464-608b-47a6-a173-a21e­228f3d65}

I don't know how to find this object. Any ideas? Thanks.

Looks like a GUID value. Objects in AD all have a unique GUID that remains
constant regardless of DN changes due to renames and moves. There's an API
function, DsCrackNames(), which is used to convert between the various name
formats used to identify objects in AD. One of the name formats that it
supports converting to/from is DS_UNIQUE_ID_NAME, which works with
string-formatted GUID values returned from the IIDFromtString() function.

Take a look at the MSDN docs for these functions and I think that you'll be
on your way to converting the GUID value for each object into another format
that's more user-friendly.


--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651

Do not send me unsolicited commercial email.

 

[Joe Richards [MVP]]

Get ADFIND (www.joeware.net) and run the following query (all one line)

adfind -gc -b -binenc -f
"|(objectGuid={{GUID:e5b0f464-608b-47a6-a173-a21e­228f3d6}})(msExchMailboxGuid={{GUID:e5b0f464-608b-47a6-a173-a21e­228f3d6}})"
-dn

 

[dprofancik]

Chuck, thanks for the references. I'm a little too busy at the moment
to code a tool.

Joe, thanks for the tool. However, it returned, "0 Objects returned".

Any other ideas?

 

[Joe Richards [MVP]]

That means that object was probably deleted or the GUID isn't properly specified.

If you have admin rights across the forest, you can add the switch -showdel
which will show you any objects that match the GUID that have been deleted that
are still within the tombstone period.

joe