Re: 540,576,538

I agree but how can I found what is causing this behavior.
Again I scan that server anyway as possible with no results.
I only have HP insight Manager 7.0 and Symantic control center installed. In
no place I enter parameter to use a specific user to login on my others
servers. Is there a tool that could help me?

Thank you again for your help,

Nicolas




"Roger Abell [MVP]" wrote:

You need to examine the machine named MTLNTWWW15
that has IP 1.175.210.34, as it is from there that the logon
is originated.

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Nicolas" <Nicolas@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3E964671-2BBD-467F-B5D5-B24CC173BA1B@xxxxxxxxxxxxxxxx
Hi,

I know it's an already seen question but mine here is somewhat different.
I
know we see Event ID 540, 538, 576 and 680 with anonymous. My problem is
that
I have plenty of those (servertimes per minutes but not with anonymous but
with a local user that is not used. I encountered that problem on many of
my
servers and I don't know what triggers it and why that user.

I have an anti-virus run as well as Adware Se and everything is fine.
I can assure you that the user was not configure on any services or tasks.
Other than that I can assure you that I'm in control of the servers.
I disable the local user and I get an failure to logon now.

Do you have any idea what is going on?
Your help is appreciated

Nicolas

________________________

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12/13/2006
Time: 10:09:13 AM
User: MMMMMSSSS\sharon_stone
Computer: MMMMMSSSS
Description:
Successful Network Logon:
User Name: sharon_stone
Domain: MMMMMSSSS
Logon ID: (0x0,0x19A55888)
Logon Type: 3
Logon Process:
Authentication Package: NTLM
Workstation Name: MTLNTWWW15
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 1.175.210.34
Source Port: 4025


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

_____________________



Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 12/13/2006
Time: 10:09:13 AM
User: MMMMMSSSS\sharon_stone
Computer: MMMMMSSSS
Description:
Special privileges assigned to new logon:
User Name: sharon_stone
Domain: MMMMMSSSS
Logon ID: (0x0,0x19A55888)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

______________________


Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/13/2006
Time: 10:09:13 AM
User: MMMMMSSSS\sharon_stone
Computer: MMMMMSSSS
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: sharon_stone
Source Workstation: MTLNTWWW15
Error Code: 0x0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

____________________


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12/13/2006
Time: 10:09:13 AM
User: MMMMMSSSS\sharon_stone
Computer: MMMMMSSSS
Description:
Successful Network Logon:
User Name: sharon_stone
Domain: MMMMMSSSS
Logon ID: (0x0,0x19A5586D)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MTLNTWWW15
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 1.175.210.34
Source Port: 4025


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.





.

Relevant Pages