Phantom Logons?

C

Chris Riling

Hi,

We have a Windows NT domain, with several BDCs, but
most of our clients are on 2000, while some are on 98. I
am having a problem with users who leave their machines on
overnight. During the course of the night, and seemingly
random times, for several users, we will see a network
logon in the event log. The locations are physically
secure, with locks, cameras, keypads, and guard personel
at each remote office, and we have been assured that no
one has entered or exited te buildings where these logons
took place. The logons have the user name and the machine
name, and have event ID 528 and 538. I have created logon
time restrictions for accounts, and am now catching 530's
(time restriction violations). No machines on this network
segment have public IPs, and no one else on our WAN has
reported problems, so I don't think it is a security
breach. What could be causing this? Network drive
timeouts, share timeouts, etc.? Any help will be
appreciated, please reply via email to
(e-mail address removed). Thanks!
 
S

Steven L Umbach

The following link may be helpful. It seems to be related to use of file shares as
you suspected. I wonder if they leave applications open or there is a background
application [antivirus?] that periodically try to save data or update data to/from a
network share. Having time restrictions is a great idea and you might also want to
implement the screensaver to lock the computer after a period of inactivity if you
already don't and maybe use the AT command to schedule the computers to shutdown via
the shutdown command at a certain time. Netmon would probably help you track the
activity down if you don't mind going through a lot of lines. though you should be
able to narrow it down by correlating it to the time of the events in the security
log. --- Steve


http://is-it-true.org/nt/atips/atips155.shtml
 
B

Bobby McMillan [MSFT]

Chris,

As long as the users remain logged in, any mapped drive may have a
reconnect take place. This is what the Network logon is. You are correct
in using the logon time restrictions. This will prevent the users in
question from reconnecting the network drives as you are seeing. You may
also wish to investigate the use of winexit.scr. This will log off the
users after a set idle time. Do you have a company policy stating that
users should log off at the end of the day?


This posting is provided "AS IS" with no warranties, and confers no rights.
 
C

Chris Riling

We have Norton Antivirus Corporate running on all of the
machines, but I even put a clean machine on the LAN, (full
format, clean install of win2k pro, no norton) left it
logged on overnight, and sure enough I had a logon event
in my logs in the morning. Strange eh?
-----Original Message-----
The following link may be helpful. It seems to be related to use of file shares as
you suspected. I wonder if they leave applications open or there is a background
application [antivirus?] that periodically try to save data or update data to/from a
network share. Having time restrictions is a great idea and you might also want to
implement the screensaver to lock the computer after a period of inactivity if you
already don't and maybe use the AT command to schedule the computers to shutdown via
the shutdown command at a certain time. Netmon would probably help you track the
activity down if you don't mind going through a lot of lines. though you should be
able to narrow it down by correlating it to the time of the events in the security
log. --- Steve


http://is-it-true.org/nt/atips/atips155.shtml

Hi,

We have a Windows NT domain, with several BDCs, but
most of our clients are on 2000, while some are on 98. I
am having a problem with users who leave their machines on
overnight. During the course of the night, and seemingly
random times, for several users, we will see a network
logon in the event log. The locations are physically
secure, with locks, cameras, keypads, and guard personel
at each remote office, and we have been assured that no
one has entered or exited te buildings where these logons
took place. The logons have the user name and the machine
name, and have event ID 528 and 538. I have created logon
time restrictions for accounts, and am now catching 530's
(time restriction violations). No machines on this network
segment have public IPs, and no one else on our WAN has
reported problems, so I don't think it is a security
breach. What could be causing this? Network drive
timeouts, share timeouts, etc.? Any help will be
appreciated, please reply via email to
(e-mail address removed). Thanks!
Click to expand...


.
Click to expand...
 
C

Chris Riling

We have told them to shut their machines down, but
obviously several users aren't; and the logon events only
occur with machines that are left on overnight. I will
look into winexit.scr. Thanks!
 
B

Bobby McMillan [MSFT]

Chris,

Just remember winexit may cause loss of data if they have apps open.


This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Auditing Logon Events 2
intermittent problems with software install via GPO 1
auditing logons - someone please clear this #@#$! up. 3
Auditing User logon/logoff events. 2
Auditing User logon and logoff, from the event logs on the domain controllers 2
Record User Logon/Logoff with Computer Name + Username 4
FTP login to Win2k sp4 with IIS not all audited 1
anonymous logon in security event viewer 1

Top