R
Raymond
The configuration is as following:
- Windows 2000 SP4 running as DC with IIS FTP installed
- One account "ftpuser" created for accessing the FTP server
- "Domain Security Policy", "Audit account logon events" and "Audit
logon events" are both turned on for success and failure
- Normally, we have about 10 workstations(NT4 WS) access the server in
the morning from 8:15AM to 8:30AM to get updated files.
The problem is :
- I am expecting I can get TEN pairs of "528 + 538" events with the
user field set to "ftpuser", but I only get at most TWO pairs of "528
+ 538" events.
Successful Logon:
User Name: ftpuser
Domain: DOMAIN1
Logon ID: (0x0,0x65A244)
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER1
User Logoff:
User Name: ftpuser
Domain: DOMAIN1
Logon ID: (0x0,0x65A244)
Logon Type: 2
In between, I got a lot of 540, 583 events who's user is "SYSTEM":
Successful Network Logon:
User Name: SERVER1$
Domain: DOMAIN1
Logon ID: (0x0,0x65EA72)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
User Logoff:
User Name: SERVER1$
Domain: DOMAIN1
Logon ID: (0x0,0x65EBB9)
Logon Type: 3
Anyone know what's the problem?
- Windows 2000 SP4 running as DC with IIS FTP installed
- One account "ftpuser" created for accessing the FTP server
- "Domain Security Policy", "Audit account logon events" and "Audit
logon events" are both turned on for success and failure
- Normally, we have about 10 workstations(NT4 WS) access the server in
the morning from 8:15AM to 8:30AM to get updated files.
The problem is :
- I am expecting I can get TEN pairs of "528 + 538" events with the
user field set to "ftpuser", but I only get at most TWO pairs of "528
+ 538" events.
Successful Logon:
User Name: ftpuser
Domain: DOMAIN1
Logon ID: (0x0,0x65A244)
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER1
User Logoff:
User Name: ftpuser
Domain: DOMAIN1
Logon ID: (0x0,0x65A244)
Logon Type: 2
In between, I got a lot of 540, 583 events who's user is "SYSTEM":
Successful Network Logon:
User Name: SERVER1$
Domain: DOMAIN1
Logon ID: (0x0,0x65EA72)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
User Logoff:
User Name: SERVER1$
Domain: DOMAIN1
Logon ID: (0x0,0x65EBB9)
Logon Type: 3
Anyone know what's the problem?