logon log off events

G

Guest

I started managing a window 2000 domain controller with sp4 for company. When I check the security log in the morning there are events 538 and 540 (logon and logoff events) entered in all night when I know users aren't there. Does anyone know if this is signficant? or what it signifies.
Steve S.
 
K

Kurt Hudson [MVP]

This could be significant. However, it is possible that you are capturing
service account activity and other "expected" behaviors. You really need to
track down the account names and/or SIDs that are causing the activity to be
logged. Perhaps there is a pattern - for example maybe one or two services
have bogus user credentials that they are trying every few minutes or
seconds.

If you are really concerned, you might set a high Account Lockout value.
Howerver, that could be used as a denial of service attack against your
accounts. You may find that you have lots of user accounts locked out (539)
the next morning.

steve sullam said:
I started managing a window 2000 domain controller with sp4 for company.
Click to expand...
When I check the security log in the morning there are events 538 and 540
(logon and logoff events) entered in all night when I know users aren't
there. Does anyone know if this is signficant? or what it signifies.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

event log 538 and 540 1
Unexplained 540 Events in Security log on W2K workstation in a dom 0
Audit account logon events causes security log meltdown :( 1
Auditing User logon and logoff, from the event logs on the domain controllers 2
Auditing User logon/logoff events. 2
Excessive computer account logon/logoff loggining on security log 5
Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON 15
Notification of Logon and Logoff 1

Top