logon log off events

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I started managing a window 2000 domain controller with sp4 for company. When I check the security log in the morning there are events 538 and 540 (logon and logoff events) entered in all night when I know users aren't there. Does anyone know if this is signficant? or what it signifies.
Steve S.
 
This could be significant. However, it is possible that you are capturing
service account activity and other "expected" behaviors. You really need to
track down the account names and/or SIDs that are causing the activity to be
logged. Perhaps there is a pattern - for example maybe one or two services
have bogus user credentials that they are trying every few minutes or
seconds.

If you are really concerned, you might set a high Account Lockout value.
Howerver, that could be used as a denial of service attack against your
accounts. You may find that you have lots of user accounts locked out (539)
the next morning.

steve sullam said:
I started managing a window 2000 domain controller with sp4 for company.
Click to expand...
When I check the security log in the morning there are events 538 and 540
(logon and logoff events) entered in all night when I know users aren't
there. Does anyone know if this is signficant? or what it signifies.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

event log 538 and 540 1
Auditing User logon and logoff, from the event logs on the domain controllers 2
event logs 1
Unexplained 540 Events in Security log on W2K workstation in a dom 0
Auditing User logon/logoff events. 2
Log File Fill Automatically 4
Notification of Logon and Logoff 1
Excessive logon/logoff messages in event log 3

Back
Top