Windows Security Log Events by ID

Event 565 allows you to track changes to Active Directory objects down to the property level. While Account Management provides more useful auditing for changes to users, groups and computers, Directory Service Access events are the only way to monitor potentially far reaching effects of changes to organizational units, group policy objects, domains and site related objects.

Event 565 is similar to event 560 but is limited to recording open events on Active Directory objects. Event 565 is therefore only logged on domain controllers.

Auditing on desired container and leaf objects must be enabled for event 565 to be logged. Open properties dialog of object, select Security tab, click Advanced and select Auditing tab. Event 565 allows you to track new objects created in AD, changes to existing object and deletes.

Object Type specifies the class object as specified in the schema for this forest. Common object types:
user
group
gpContainer (group policy object)
dnsDomain (domain)
organizational unit

Object Name: X500 distinguished name of the object.

Primary fields: always correspond to the directory service process and domain controller account.

Client fields: identify the user (usually some level of an administrator) that accessed the object.

Accesses: Identify the permissions requested by user/program to the object. These accesses directly correspond to the object level and property level permissions you see in the access control list of the associated object in Active Directory. Write Property and Read Property accesses will be followed by the actual properties written to or read.

Object types and property names can be cryptic. Use the Active Directory Schema Management MMC snap-in to understand the meaning.

Write_DAC indicates the user/program attempted to change the permissions on the object.

You will only see event 565 on domain controllers.