I have a Windows Server 2003 box that is a DC, a DNS server, and an Exchange 2003 server. In the security event log we are getting 50-100 events a second like this:Source: SecurityCatagory: Directory Service AccessEvent ID: 565User: NT AUTHORITY\SYSTEMObject Open: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: CN=Builtin,DC=tmfteam,DC=com Handle ID: 129843432 Operation ID: {0,588717592} Process ID: 520 Process Name: C:\WINDOWS\system32\lsass.exe Primary User Name: SERVERNAME$ Primary Domain: SERVERNAME Primary Logon ID: (0x0,0x3E7) Client User Name: SERVERNAME$ Client Domain: SERVERNAME Client Logon ID: (0x0,0x3E7) Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Privileges: - Properties:--- %{19195a5a-6da0-11d0-afd3-00c04fd930c9}DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts %{c7407360-20bf-11d0-a768-00aa006e0529} %{bf9679a4-0de6-11d0-a285-00aa003049e2} %{bf9679a5-0de6-11d0-a285-00aa003049e2} %{bf9679a6-0de6-11d0-a285-00aa003049e2} %{bf9679bb-0de6-11d0-a285-00aa003049e2} %{bf9679c2-0de6-11d0-a285-00aa003049e2} %{bf9679c3-0de6-11d0-a285-00aa003049e2} %{bf967a09-0de6-11d0-a285-00aa003049e2} %{bf967a0b-0de6-11d0-a285-00aa003049e2} %{b8119fd0-04f6-4762-ab7a-4986c76b3f9a} %{bf967a34-0de6-11d0-a285-00aa003049e2} %{bf967a33-0de6-11d0-a285-00aa003049e2} %{bf9679c5-0de6-11d0-a285-00aa003049e2} %{bf967a61-0de6-11d0-a285-00aa003049e2} %{bf967977-0de6-11d0-a285-00aa003049e2} %{bf96795e-0de6-11d0-a285-00aa003049e2} %{bf9679ea-0de6-11d0-a285-00aa003049e2} %{ab721a52-1e2f-11d0-9819-00aa0040529b} Access Mask: 0I'm sure this has something to do with auditing, but I can't find where to turn it off. I've checked all of our group policies and none of them have directory service auditing enabled. I've checked the security properties of the server and the domain, and neither of them have it enabled either.

Based on a search I have got an extremely well explained article give an eye over it.These events are caused because Microsoft Exchange server is accessing your active directory user accounts.Microsoft Exchange uses Active Directory accounts, and extends the schema of those accounts to store Exchange-related settings on those accounts. The "unknown specific access" entries mean that the Windows system that you used to look at the logs, didn't natively know the names of the Exhange-related properties being accessed.Failure audit events and "unknown specific access" events, while annoying, are not in themselves signs of a problem on your system. If you enable failure auditing you will see some failures; Windows and Windows applications often have code to take care of the failure by doing something a different way. For instance, if you use Word to open a document that you only have read permission to, Word will try to open the document for write- this will cause a failure audit if failure auditing for object access is turned on. However Word won't crash or throw an error; it will simply notify you that it's going to open the document as read-only. Similarly Exchange and many other Windows applications do similar things.If the only symptom you're seeing is the failure audits, and Exchange is working properly, these can be safely ignored.If you have problems using or administering Exchange, then you should post to one of the Exchange forums, and offer these audit events as additional troubleshooting information.If you just want these events to go away, the easiest way to do so is to modify the Default Domain Controllers Policy in Administrative tools. You can change computer settings\security settings\local policies\audit policy to disable Failure auditing for the DS Object Access category.Or, you can change the SACL on the root of your Active Directory, to either remove failure accesses, or to remove the object types or accesses in question.Thanks and Hope it helps Syed Khairuddin

Thanks for the response, Syed. It is true that this issue does not seem to be causing any obvious problems. I just can't imagine that many events logged every second can be good for system performance. This is on an Exchange server, so I'm not sure why it would not be aware of those events. FWIW I did have an Exchange 2007 server in the organization briefly, but had to uninstall it to work out some hardware issues.I've tried turning off auditing directory service access in both domain controler policy and at the root of the domain, but it isn't turned on.

We are getting AD account lockouts server times a day. Not sure what's causing it.