Re: 540,576,538

---

• From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
• Date: Wed, 13 Dec 2006 22:15:38 -0700

---

Have you looked for processes running as that account?
You might be able to catch info about it in action by use
of PortRptr (a download from Microsoft), but from what
you have shown this could be as simple as an attempt to
map a drive or otherwise connect to a share/printer.

"Nicolas" <Nicolas@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DBFCDC07-1584-472F-847F-16635A8D833E@xxxxxxxxxxxxxxxx

I agree but how can I found what is causing this behavior.
Again I scan that server anyway as possible with no results.
I only have HP insight Manager 7.0 and Symantic control center installed.
In
no place I enter parameter to use a specific user to login on my others
servers. Is there a tool that could help me?

Thank you again for your help,

Nicolas




"Roger Abell [MVP]" wrote:

You need to examine the machine named MTLNTWWW15
that has IP 1.175.210.34, as it is from there that the logon
is originated.

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Nicolas" <Nicolas@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3E964671-2BBD-467F-B5D5-B24CC173BA1B@xxxxxxxxxxxxxxxx

Hi,

I know it's an already seen question but mine here is somewhat
different.
I
know we see Event ID 540, 538, 576 and 680 with anonymous. My problem
is
that
I have plenty of those (servertimes per minutes but not with anonymous
but
with a local user that is not used. I encountered that problem on many
of
my
servers and I don't know what triggers it and why that user.

I have an anti-virus run as well as Adware Se and everything is fine.
I can assure you that the user was not configure on any services or
tasks.
Other than that I can assure you that I'm in control of the servers.
I disable the local user and I get an failure to logon now.

Do you have any idea what is going on?
Your help is appreciated

Nicolas

________________________

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12/13/2006
Time: 10:09:13 AM
User: MMMMMSSSS\sharon_stone
Computer: MMMMMSSSS
Description:
Successful Network Logon:
User Name: sharon_stone
Domain: MMMMMSSSS
Logon ID: (0x0,0x19A55888)
Logon Type: 3
Logon Process:
Authentication Package: NTLM
Workstation Name: MTLNTWWW15
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 1.175.210.34
Source Port: 4025


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

_____________________



Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 12/13/2006
Time: 10:09:13 AM
User: MMMMMSSSS\sharon_stone
Computer: MMMMMSSSS
Description:
Special privileges assigned to new logon:
User Name: sharon_stone
Domain: MMMMMSSSS
Logon ID: (0x0,0x19A55888)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

______________________


Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/13/2006
Time: 10:09:13 AM
User: MMMMMSSSS\sharon_stone
Computer: MMMMMSSSS
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: sharon_stone
Source Workstation: MTLNTWWW15
Error Code: 0x0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

____________________


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12/13/2006
Time: 10:09:13 AM
User: MMMMMSSSS\sharon_stone
Computer: MMMMMSSSS
Description:
Successful Network Logon:
User Name: sharon_stone
Domain: MMMMMSSSS
Logon ID: (0x0,0x19A5586D)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MTLNTWWW15
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 1.175.210.34
Source Port: 4025


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

.

---

• References:
  • 540,576,538
    • From: Nicolas
  • Re: 540,576,538
    • From: Roger Abell [MVP]
  • Re: 540,576,538
    • From: Nicolas

• Prev by Date: Microsoft CA query
• Next by Date: Re: IE Security-- useless
• Previous by thread: Re: 540,576,538
• Next by thread: Re: EFS with OST/PST files
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: KDC Event ID 7 and Wins startup errors. ... Event Type: Information ... Event Source: USER32 ... Logon Failure: ... Caller User Name: $ ... (microsoft.public.windows.server.sbs) Need to resolve Event 4136 ... Event Type: Failure Audit ... Logon Failure: ... Workstation Name: <systemname> ... Caller User Name: $ ... (microsoft.public.inetserver.indexserver) The MAD Monitoring thread was unable to read its configuration from the DS ... Event Type: Error ... The MAD Monitoring thread was unable to read its configuration from the DS, ... Logon Failure: ... Caller User Name: - ... (microsoft.public.exchange.admin) Re: KDC Event ID 7 and Wins startup errors. ... Event Type: Information ... Event Source: USER32 ... Logon Failure: ... Caller User Name: $ ... (microsoft.public.windows.server.sbs) Re: KDC Event ID 7 and Wins startup errors. ... Scheduled reboot was done to ensure that no services/tasks are failing ... Event Type: Information ... Logon Failure: ... Caller User Name: $ ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2006-12