Event 562 Success audit in Security log on Exchange 2003 Server

Submitted by northben on Fri, 04/09/2010 - 15:25

If you turn on Audit Object Access, which is useful to find when and who access and deleted files, you may see thousands of Event 562 in the Windows Security event log. Here's how I fixed it.

ISSUE
-----------
After turning on Success auditing for Object
Access on the SBS 2003 Server,
the security event is fills up with:

Event
ID: 562
Source: System
Category: Object Access
Type: Success A
Description:
Handle
Closed
Object Server: Microsoft Exchange
Image File Name:
C:\Program Files\Exchsrvr\bin\store.exe

CAUSE
--------
Temporary
objects created/opened while routing mail are audited when
closed/deleted.
The
auditing is not based on SACL on these objects; all these operations
are
audited just because they turned on auditing for Store.

RESOLUTION
---------------
Add
the following registry setting to disable the store auditing without
impacting
the audit for other objects.

On the SBS Server, please open the
below registry key:

 
HKLM\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

Please
add the following DWORD value

Value name: Disable Close Object
Audit
Value Type: DWORD
Value Data: 1

 source: http://msmvps.com/blogs/bradley/archive/2006/12/23/issues-in-december-from-the-partner-newsgroups.aspx

 I did not need to restart any services after following these instructions.

Comments

Luis Urquilla (not verified)

Mon, 05/02/2011 - 11:24

This worked like a charm and this is the only set of instruction that helped me resolve the problem. I spent days searching through the web.

Thanks!!!!

Luis Urquilla (not verified)

Mon, 05/02/2011 - 11:26

This worked like a charm and this is the only set of instruction that helped me resolve the problem. I spent days searching through the web.

Thanks!!!!