Windows Security Log Event ID 566

Operating Systems Windows 2003 and XP
CategoryDirectory Service
Type Success
Corresponding events
in Windows 2008
and Vista
4662 , 5136 , 5137  

566: Object Operation (W3 Active Directory)

On this page

Whereas event 565 logs the permissions requested by user/program, event 566 logs the permissions actually exercised by the user/program after opening it. While an object may accessed several times during the same open, Windows only logs event 566 the first time a given permission is actually exercised. This event is similar to 567 but is limited to Active Directory object accesses.

This event is part of operation based auditing which is new to W3.

You will only see event 566 on domain controllers.

Free Security Log Resources by Randy

Description Fields in 566

  • Object Server:
  • Object Type:
  • Object Name:
  • Handle ID:
  • Primary User Name:
  • Primary Domain:
  • Primary Logon ID:
  • Client User Name:
  • Client Domain:
  • Client Logon ID:
  • Accesses
  • Additional Info:
  • Additional Info2:
  • Access Mask:

Supercharger Enterprise

Load Balancing for Windows Event Collection


Examples of 566

Object Operation:
Object Server:DS
Operation Type:Object Access
Object Type:user
Object Name:CN=test,DC=elm,DC=local
Handle ID:-
Primary User Name:W3DC$
Primary Domain:ELM
Primary Logon ID:(0x0,0x3E7)
Client User Name:administrator
Client Domain:ELM
Client Logon ID:(0x0,0x158EB7)
Accesses:Write Property 
   Write Property
   Public Information
Additional Info:
Additional Info2:
Access Mask:0x20

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Upcoming Webinars
    Additional Resources