Getting alot of these on one of the DCs security log:
*Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 27/01/2010
Time: 10:12:41
User: Domain\Exchangeserver$
Computer: DC
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: container
Object Name: CN=Deleted Objects,CN=Configuration,DC=Domain,DC=local
Handle ID: –
Primary User Name: DC$
Primary Domain: Domain
Primary Logon ID: (0x0,0x3E7)
Client User Name: Exchangeserver$
Client Domain: Domain
Client Logon ID: (0x0,0x55A0BA34)
Accesses: Read Property
Properties:
Default property set
uSNChanged
Public Information
objectClass
container
Additional Info:
Additional Info2:
Access Mask: 0x10*
The only thing I've noticed is there are some plain SIDs showing in mailbox rights (ADUC) for some of our users which I can only assume are old users accounts that have now been deleted (Sid to user will not resolve). Not sure if it's related.
Any ideas?
Thanks
Best Answer
Based on some Googling after I encountered this, I found that there was a change in Windows 2003 that allowed attributes to be marked as confidential. I’m not sure if this applied to “uSNChanged.”
One example result (a top Google hit):
http://www.eventid.net/display.asp?eventid=566&eventno=4015&source=Security&phase=1
Assuming this applies to your situation, you appear to have two options (quoted from the article linked above):
I didn’t come across anything obviously more specific when looking for “event id 566” along with “uSNChanged.” Adapt the instructions for the attributes in your situation.
There are lots of mentions of this elsewhere. I haven’t sorted it out myself, but hopefully this helps your situation.