Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->DS Access->EventID 565 - Object Open [Win 2003]
EventID 565 - Object Open [Win 2003]
Indicates that an attempt was made to access a directory service object. Success or failure is indicated in the message. If access was successful, the listed accesses were requested and granted. If access failed, the listed accesses were requested but not granted.

Note: 
This event occurs only on domain controllers.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2000
Windows 2008
 Sample: 
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Directory Service Access
        Event ID:       565
        Date:           10/26/2009
        Time:           07:31:45
        User:           RESEARCH\ALebovsky
        Computer:       DC1
        Description:
        Object Open:
        Object Server:	Security Account Manager
        Object Type:	SAM_DOMAIN
        Object Name:	DC=research,DC=corp
        Handle ID:	636360
        Operation ID:	{0,6358495}
        Process ID:	384
        Process Name:	C:\WINDOWS\system32\lsass.exe
        Primary User Name:	DC1$
        Primary Domain:	RESEARCH
        Primary Logon ID:	(0x0,0x3E7)
        Client User Name:	Alebovsky
        Client Domain:	RESEARCH
        Client Logon ID:	(0x0,0x59DF36)
        Accesses:	%DELETE
        %READ_CONTROL
        %WRITE_DAC
        %WRITE_OWNER
        %ReadPasswordParameters
        %WritePasswordParameters
        %ReadOtherParameters
        %WriteOtherParameters
        %CreateUser
        %CreateGlobalGroup
        %CreateLocalGroup
        %GetLocalGroupMembership
        %ListAccounts

        Privileges:	-

        Properties:
        ---
        %{19195a5a-6da0-11d0-afd3-00c04fd930c9}
        %DELETE
        %READ_CONTROL
        %WRITE_DAC
        %WRITE_OWNER
        %ReadPasswordParameters
        %WritePasswordParameters
        %ReadOtherParameters
        %WriteOtherParameters
        %CreateUser
        %CreateGlobalGroup
        %CreateLocalGroup
        %GetLocalGroupMembership
        %ListAccounts
        %{c7407360-20bf-11d0-a768-00aa006e0529}
        %{bf9679a4-0de6-11d0-a285-00aa003049e2}
        %{bf9679a5-0de6-11d0-a285-00aa003049e2}
        %{bf9679a6-0de6-11d0-a285-00aa003049e2}
        %{bf9679bb-0de6-11d0-a285-00aa003049e2}
        %{bf9679c2-0de6-11d0-a285-00aa003049e2}
        %{bf9679c3-0de6-11d0-a285-00aa003049e2}
        %{bf967a09-0de6-11d0-a285-00aa003049e2}
        %{bf967a0b-0de6-11d0-a285-00aa003049e2}
        %{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}
        %{bf967a34-0de6-11d0-a285-00aa003049e2}
        %{bf967a33-0de6-11d0-a285-00aa003049e2}
        %{bf9679c5-0de6-11d0-a285-00aa003049e2}
        %{bf967a61-0de6-11d0-a285-00aa003049e2}
        %{bf967977-0de6-11d0-a285-00aa003049e2}
        %{bf96795e-0de6-11d0-a285-00aa003049e2}
        %{bf9679ea-0de6-11d0-a285-00aa003049e2}
        %{ab721a52-1e2f-11d0-9819-00aa0040529b}

        Access Mask:	0
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category DS Access
Source Security
EventId 565
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Object Server The name of the service handling the access request InsertionString1 DS
Object Type The class object as specified in the schema for this forest (user, group, organizational unit, etc.) InsertionString2 %{f30e3bc2-9ff0-11d1-b603-0000f80367c1}
Object Name Distinguished name of the AD object InsertionString3 %{8bb7faa0-e9f7-46c1-b22a-c03de2f4b7cb}
Handle ID ID of the object handle granted to the process accessing it InsertionString4 807808
Primary User Name Account name of the user under which the directory service process runs InsertionString9 DCCC1$
Primary Domain Domain of the Primary User Name InsertionString10 LOGISTICS
Primary Logon ID ID of the logon session of the Primary User Name account InsertionString11 (0x0,0x3E7)
Client User Name Name of the user attempting to access the object InsertionString12 DCCC1$
Client Domain Domain of the Client User Name InsertionString13 LOGISTICS
Client Logon ID ID of the logon session of the Client User Name account InsertionString14 (0x0,0x59DF36)
Accesses Identifies the permissions requested by user/program to the object. These accesses directly correspond to the object level and property level permissions you see in the access control list of the associated object in Active Directory. Write Property and Read Property accesses will be followed by the actual properties written to or read. InsertionString15 DELETE
Properties The list of properties to which access was requested InsertionString17 READ_CONTROL
Operation ID Unique ID of the operation performed on the object Expression {%5,%6}
Process ID ID of the process (program) making the access request InsertionString7 384
Process Name Full path and name of the program making the access request InsertionString8 C:\WINDOWS\system32\lsass.exe
Privileges The list of privileges held by user accessing the object InsertionString16 -
Access Mask The actual set of rights for the user accessing the object. InsertionString18 0
Comments
You must be logged in to comment