XADM: Failure Audit Security Event ID Messages Are Logged When You Open a Mailbox That You Have Delegate Access To (813229)

SYMPTOMS

When you try to open the Microsoft Outlook folders of a different user, and you have delegate access for those folders, one or more of the following failure audit event ID messages are logged in the Security log of the Windows Event Viewer:Date: Date
Source: Security
Time: Time
Category: Object Access
Type: Failure
Event ID: 565
User: DomainName\User
Computer: ComputerName
Description:

Object Open:
Object Server: Microsoft Exchange
Object Type: Microsoft Exchange Logon
Object Name: /o=Organization/ou=Organizational unit/cn=Recipients/cn=user
New Handle ID: -
Operation ID: {0,32586782}
Process ID: 2168
Primary User Name: ComputerName$
Primary Domain: DomainName
Primary Logon ID: (0x0,0x3E7)
Client User Name: User2
Client Domain: DomainName
Client Logon ID: (0x0,0x1F13BE3)
Accesses Unknown specific access (bit 0)
Privileges -

-and-

Date: Date
Source: Security
Time: Time
Category: Object Access
Type: Failure
Event ID: 565
User: DomainName\User
Computer: ComputerName
Description:

Object Open:
Object Server: Microsoft Exchange
Object Type: Microsoft Exchange Logon
Object Name: /o=Organization/ou=Organizational unit/cn=Recipients/cn=user
New Handle ID: -
Operation ID: {0,33480094}
Process ID: 2168
Primary User Name: ComputerName$
Primary Domain: DomainName
Primary Logon ID: (0x0,0x3E7)
Client User Name: User2
Client Domain: DomainName
Client Logon ID: (0x0,0x1FEDD89)
Accesses Unknown specific access (bit 8)
Privileges -

Properties:

READ_CONTROL
WRITE_DAC
WRITE_OWNER
MAX_ALLOWED
Unknown specific access (bit 4)
Unknown specific access (bit 6)
Unknown specific access (bit 7)
Unknown specific access (bit 8)
Unknown specific access (bit 9)
Unknown specific access (bit 11)
Unknown specific access (bit 12)
Unknown specific access (bit 15)
%{ab721a54-1e2f-11d0-9819-00aa0040529b}

Even though the failure audit event messages are logged in the Security log, you can successfully open the folders that you have delegate access to.

CAUSE

This behavior may occur if the following conditions are true:

You access another user's mailbox by using delegate access.
Audit logging is turned on for object access.

This behavior occurs if you do not have the Send As or Owner rights for the mailbox that you are trying to open. The failure audit events are logged to notify the administrator that the user who is accessing the mailbox does not have Send As or Owner rights to the mailbox itself even though the user has delegate access to the mailbox. These failure audit events are logged in the Security log of the Event Viewer so that the administrator of the Exchange 2000 organization can verify that security permissions are set correctly.

MORE INFORMATION

When you try to open the mailbox of another user by using delegate access, Windows verifies that you have Send As and Owner rights for that mailbox. When you try to open mailboxes in the private information store of an Exchange 2000 computer, the following behavior occurs:

If you own the mailbox, the logon object that corresponds to your user account is flagged with the Owner rights to the mailbox. Because of this, all subsequent operations that you perform on objects that are in the mailbox are not checked for access permissions. This speeds operations when you open your mailbox.
If you do not own the mailbox but you have delegate access, every operation that you perform is verified to make sure that you possess sufficient rights. This helps to make sure that you only perform actions in folders that you have rights for. Because of this, when you try to open the mailbox of another user, the initial rights verifications (for the Send As and Owner rights) return a failure audit result.

XADM: Failure Audit Security Event ID Messages Are Logged When You Open a Mailbox That You Have Delegate Access To (813229)

SYMPTOMS

CAUSE

WORKAROUND

STATUS

MORE INFORMATION