You are currently offline, waiting for your internet to reconnect

The User account is not logged in Event ID 566 after the user makes changes to a mailbox

In Microsoft Exchange Server 2007, you enable "auditing" to audit changes made to Mailbox Security Descriptor. After you do this, Event ID 566 in the Security log for such modifications include only the computer account and excludes the administrator account. When you check the event ID 566 in the Security log on a Domain Controller, you see an event that resembles the following:
Event Type:	Success AuditEvent Source:	SecurityEvent Category:	Directory Service Access Event ID:	566User:		<domain name>\<machine account of the mailbox server>Computer:	<DC server name>Description:Object Operation: 	Object Server:	DS 	Operation Type:	Object Access 	Object Type:	user 	Object Name:	<CN of the mailbox> 	Handle ID:	- 	Primary User Name:	<DC server name> 	Primary Domain:	<domain name> 	Primary Logon ID:	(0x0,0x3E7) 	Client User Name:	<machine account of the mailbox server> 	Client Domain:	<domain name> 	Client Logon ID:	(0x0,0xA63006) 	Accesses:	Write Property 			 	Properties:	Write Property 		Exchange Information			msExchMailboxSecurityDescriptor	user 	Additional Info:	 	Additional Info2:	 	Access Mask:	0x20For more information, see Help and Support Center at
In Exchange Server 2007, the Store.exe process executes any changes a user makes to the mailbox permissions. Additionally, the Store.exe process runs under the computer account. Therefore, the computer account and not an administrator account, records the auditing.
To resolve this problem, install the following update rollup:
971534 Description of Update Rollup 1 for Exchange Server 2007 Service Pack 2

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
After you apply this update, you must set a registry entry to record the specific administrator account. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Diagnostics\9000 Private
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type 9078 Administrative Actions to name this new entry, and then press ENTER.
  5. Right-click 9078 Administrative Actions, and then click Modify.
  6. Under Base, click Decimal.
  7. In the Value data box, type 1, and then click OK.
  8. After you configure this registry entry, restart the computer.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Article ID: 967174 - Last Review: 11/19/2009 20:36:35 - Revision: 1.0

Microsoft Exchange Server 2007 Service Pack 2

  • kbsurveynew kbfix kbexpertiseinter kbhotfixrollup kbqfe KB967174