Auditing Logon Events

H

help

At the moment, on a Windows 2000 with SP4 server that is a Domain
Controller, if I have the following policies set with the DC Security
Policy:
Audit Account Logon Events: None
Audit Logon Events: Success+Failures

then I get mulitple events logged for each instance of log-on and log-off

To be precise, for logons, I get Event IDs:
528 Successful Logon
515 A trusted logon process has registered with the Local Security
Authority. This logon process will be trusted to submit logon requests.
540 Successful Network Logon: TWICE

For Logoffs
538 Successful Logoffs: multiple entries
 
H

help

Also very strangely, after LogOffs are logged, I also have logon logged in
the eventviewers:
in fact it's more like
Log off
Log on
Log Off
Log on


when in fact the user has simply issued a log off!
 
S

Steven L Umbach

That is normal to see. I believe a lot of those events are computer account
related. For a domain controller you may want to audit account logon events
instead and maybe just failures for logon events. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Unexplained 540 Events in Security log on W2K workstation in a dom 0
Excessive computer account logon/logoff loggining on security log 5
Auditing User logon/logoff events. 2
FTP login to Win2k sp4 with IIS not all audited 1
Successive Anonymous Logon events in security log 3
Account Logon and Logoff Auditing 1
Audit Account Logon Events 3
Logoff Events do not get logged...Why? 4

Top