Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The User account is not logged in Event ID 566 after the user makes changes to a mailbox


View products that this article applies to.

Symptoms

In Microsoft Exchange Server 2007, you enable "auditing" to audit changes made to Mailbox Security Descriptor. After you do this, Event ID 566 in the Security log for such modifications include only the computer account and excludes the administrator account. When you check the event ID 566 in the Security log on a Domain Controller, you see an event that resembles the following:
Event Type:	Success Audit
Event Source:	Security
Event Category:	Directory Service Access 
Event ID:	566
User:		<domain name>\<machine account of the mailbox server>
Computer:	<DC server name>
Description:
Object Operation:
 	Object Server:	DS
 	Operation Type:	Object Access
 	Object Type:	user
 	Object Name:	<CN of the mailbox>
 	Handle ID:	-
 	Primary User Name:	<DC server name>
 	Primary Domain:	<domain name>
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	<machine account of the mailbox server>
 	Client Domain:	<domain name>
 	Client Logon ID:	(0x0,0xA63006)
 	Accesses:	Write Property 
			
 	Properties:
	Write Property 
		Exchange Information
			msExchMailboxSecurityDescriptor
	user

 	Additional Info:	
 	Additional Info2:	
 	Access Mask:	0x20

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

↑ Back to the top


Cause

In Exchange Server 2007, the Store.exe process executes any changes a user makes to the mailbox permissions. Additionally, the Store.exe process runs under the computer account. Therefore, the computer account and not an administrator account, records the auditing.

↑ Back to the top


Resolution

To resolve this problem, install the following update rollup:
971534� Description of Update Rollup 1 for Exchange Server 2007 Service Pack 2

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756� How to back up and restore the registry in Windows
After you apply this update, you must set a registry entry to record the specific administrator account. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Diagnostics\9000 Private
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type 9078 Administrative Actions to name this new entry, and then press ENTER.
  5. Right-click 9078 Administrative Actions, and then click Modify.
  6. Under Base, click Decimal.
  7. In the Value data box, type 1, and then click OK.
  8. After you configure this registry entry, restart the computer.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


Keywords: KB967174, kbqfe, kbhotfixrollup, kbexpertiseinter, kbfix, kbsurveynew

↑ Back to the top

Article Info
Article ID : 967174
Revision : 1
Created on : 11/19/2009
Published on : 11/19/2009
Exists online : False
Views : 464