This could be significant. However, it is possible that you are capturing
service account activity and other "expected" behaviors. You really need to
track down the account names and/or SIDs that are causing the activity to be
logged. Perhaps there is a pattern - for example maybe one or two services
have bogus user credentials that they are trying every few minutes or
seconds.
If you are really concerned, you might set a high Account Lockout value.
Howerver, that could be used as a denial of service attack against your
accounts. You may find that you have lots of user accounts locked out (539)
the next morning.
steve sullam said:
I started managing a window 2000 domain controller with sp4 for company.
When I check the security log in the morning there are events 538 and 540
(logon and logoff events) entered in all night when I know users aren't
there. Does anyone know if this is signficant? or what it signifies.