Re: Multiple 538 and 540 ID's in 2003 server Security Events Log?
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Aug 2006 22:19:24 -0500
It is normal to see many logon/logoff events in the security log of domain
controllers when auditing of logon events is enabled and a lot of that
activity is for authentication traffic and accessing sysvol for Group
Policy. You may not even want to use auditing of logon events on domain
controllers [or audit failure only]because of all the noise and instead use
auditing of account logon events though that will NOT show when a user logs
off "their domain" computer nor will "logon" events from the domain
controller. To get more accurate information for logoff you need to enable
auditing of "logon" events on the domain computers and then get the logon
and logoff event from the local security log of the domain computer.
Steve
"Reluctant Sys-Admin" <ReluctantSysAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:06D890FE-CF4D-4151-BFED-80DE714D8EF5@xxxxxxxxxxxxxxxx
I have a 2003 Server domain controller and XP workstations. I am trying to
audit when domain users log on and off the domain for the day.
There seem to be multiple 538(successful logoff) and 540(successful logon)
event ID's in the Security Events Log for each user when they log on.
Both
ID's appear again several times when the user logs off. Sometimes the
ID's
appear a few minutes apart for the same actual log on/off event, which
makes
it hard to tell when the event actually occurred. Is there a better way
to
tell conclusively exactly when a user logs on/off the domain?
Thanks!
.
- Prev by Date: Re: USB removable disks
- Next by Date: Re: possible to log when a domain user locks workstation?
- Previous by thread: winlogon processs hold too much memory
- Next by thread: dcom security settings trouble
- Index(es):
Relevant Pages
|
|
