Previous Thread:   Questions about the artical "DCOM Security Enhancements" for Windows Server 2003 SP1

1/16/2006 5:15:56 PM    Excessive Logon/Logoff's
I was reviewing my Security logs on my Server 2003.  I noticed a lot of  
  
logon/logoff activity that seems to be going on continuously during  
  
hours of the day when no one is even in our offices.  This seems to be  
  
from every computer that is left logged in to the domain. What is  
  
causing this?  Is it normal for the server to record logon/logoff's  
  
repeatedly when the user is not actually logging on and off?  
  
Sample of my event log:  
  
Success Audit	1/16/2006	12:02:44 AM	Security	Logon/Logoff 	538	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:40 AM	Security	Logon/Logoff 	538	MPN$	BPSERVER  
  
Success Audit	1/16/2006	12:02:37 AM	Security	Logon/Logoff 	538	KMY$	BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	538	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	538	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	538	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	540	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	576	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	540	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	576	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	540	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	576	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	540	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	576	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:33 AM	Security	Logon/Logoff 	538	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:31 AM	Security	Logon/Logoff 	538	CJS$	BPSERVER  
  
Success Audit	1/16/2006	12:02:30 AM	Security	Logon/Logoff 	540	MPN$	BPSERVER  
  
Success Audit	1/16/2006	12:02:30 AM	Security	Account Logon 	673	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:30 AM	Security	Account Logon 	673	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:26 AM	Security	Logon/Logoff 	540	KM$	BPSERVER  
  
Success Audit	1/16/2006	12:02:21 AM	Security	Logon/Logoff 	540	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:21 AM	Security	Logon/Logoff 	576	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:21 AM	Security	Logon/Logoff 	540	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:21 AM	Security	Logon/Logoff 	576	SYSTEM  
  
BPSERVER  
  
Success Audit	1/16/2006	12:02:21 AM	Security	Logon/Logoff 	540	CJS$	BPSERVER  
  
Success Audit	1/16/2006	12:01:01 AM	Security	Logon/Logoff 	538	MBEY$  
  
BPSERVER  
  
Success Audit	1/16/2006	12:00:52 AM	Security	Logon/Logoff 	538  
  
ARTWRKPC$	BPSERVER  
  
Success Audit	1/16/2006	12:00:42 AM	Security	Logon/Logoff 	540  
  
ARTWRKPC$	BPSERVER  
  
Success Audit	1/16/2006	12:00:05 AM	Security	Logon/Logoff 	540	MBEY$  
  
BPSERVER  
  
Success Audit	1/15/2006	11:59:58 PM	Security	Logon/Logoff 	538	PCKG$  
  
BPSERVER

7250599242


1/16/2006 6:42:34 PM    Re: Excessive Logon/Logoff's
If the server is a domain controller then yes that it is normal as computers  
  
will often access the sysvol share and due to the fact domain controllers  
  
are usually master browsers. For domain controllers you may want to only  
  
audit "account logon" events for success and failure and "logon" events for  
  
failure only.   --- Steve  
  
"Mike Bailey" <mbailey@beaumontproducts.com> wrote in message  
  
news:%23X6QtpuGGHA.1312@TK2MSFTNGP09.phx.gbl...

1/18/2006 3:04:43 PM    Re: Excessive Logon/Logoff's
account logon events: occure only once a user logs on to a computer or  
  
accesses hist first shared network resource on a particular server  
  
(sometimes more often, but this explanation is something near the real  
  
thing) - it mean "the account's logon credentials are processed". For  
  
example - user logs on in the morning = one AccLogEvent, user prints  
  
document on a "server" = one event, user looks into a shared folder *on the  
  
same* "server" = no more events  
  
logon events: occure always a process or network service tryies to become  
  
(impersonate) a user and this can be several hundred times in a minute - for  
  
example several times for a single printed document.  
  
O.  
  
"Mike Bailey" <mbailey@beaumontproducts.com> wrote in message  
  
news:%23X6QtpuGGHA.1312@TK2MSFTNGP09.phx.gbl...

1/23/2006 2:29:00 PM    Re: Excessive Logon/Logoff's
I've changed my GPO for auditing account logon event succes/failures and  
  
only failures for logon events and I'm still getting tons of logins -  
  
SEE BELOW.  
  
Also,  was wndering why in the event log below, which was an event id  
  
540, why the Workstation Name is never picked up?  
  
Successful Network Logon:  
  
User Name:	Username  
  
Domain:		MYDOMAIN  
  
Logon ID:		(0x0,0x225B90B)  
  
Logon Type:	3  
  
Logon Process:	Kerberos  
  
Authentication Package:	Kerberos  
  
Workstation Name:  
  
Logon GUID:	{12be2ed6-1c9b-065d-c1b3-8e7843ec85ed}  
  
Type	Date	Time	Source	Category	Event	User	Computer  
  
Success Audit	1/23/2006	2:17:18 PM	Security	Logon/Logoff 	538	ML$	MYSERVER  
  
Success Audit	1/23/2006	2:17:16 PM	Security	Logon/Logoff 	538	PK-A$	MYSERVER  
  
Success Audit	1/23/2006	2:17:16 PM	Security	Logon/Logoff 	538	PK-A$	MYSERVER  
  
Success Audit	1/23/2006	2:17:16 PM	Security	Logon/Logoff 	538	SYSTEM  
  
MYSERVER  
  
Success Audit	1/23/2006	2:17:16 PM	Security	Logon/Logoff 	540	SYSTEM  
  
MYSERVER  
  
Success Audit	1/23/2006	2:17:16 PM	Security	Logon/Logoff 	576	SYSTEM  
  
MYSERVER  
  
Success Audit	1/23/2006	2:17:16 PM	Security	Logon/Logoff 	540	PK-A$	MYSERVER  
  
Success Audit	1/23/2006	2:17:16 PM	Security	Logon/Logoff 	540	PK-A$	MYSERVER  
  
Success Audit	1/23/2006	2:17:16 PM	Security	Logon/Logoff 	540	PK-A$	MYSERVER  
  
Success Audit	1/23/2006	2:17:15 PM	Security	Logon/Logoff 	538	PK-A$	MYSERVER  
  
Success Audit	1/23/2006	2:17:15 PM	Security	Logon/Logoff 	540	PK-A$	MYSERVER  
  
Success Audit	1/23/2006	2:17:15 PM	Security	Logon/Logoff 	538	CL$	MYSERVER  
  
Success Audit	1/23/2006	2:17:09 PM	Security	Logon/Logoff 	538	KS$	MYSERVER  
  
Success Audit	1/23/2006	2:17:07 PM	Security	Logon/Logoff 	540	ML$	MYSERVER  
  
Success Audit	1/23/2006	2:17:04 PM	Security	Logon/Logoff 	538	LAB$	MYSERVER  
  
Success Audit	1/23/2006	2:17:04 PM	Security	Logon/Logoff 	540	CL$	MYSERVER  
  
Success Audit	1/23/2006	2:17:04 PM	Security	Account Logon 	673	SYSTEM  
  
MYSERVER  
  
Ondrej Sevecek wrote:

1/24/2006 8:31:41 AM    Re: Excessive Logon/Logoff's
this seems to me as an ordinary log. There will always be a very high number  
  
of Logon/Logoff events.  
  
Account Logon Event is produced when a DC actually authenticates the user  
  
(this occurres once per server the user is accessing in a 10 hours frame -  
  
when a service/TGT ticket is requested for Kerberos).  
  
Logon Event is produced everytime the users connects to a shared resource  
  
and sometimes even much more often.  
  
There would be only problem when there are FAILURE AUDITS, the account get  
  
locked. This would be either a product of some malitious activity against  
  
the account or some misconfiguration of a service account in some service  
  
properties.  
  
O.  
  
"Mike Bailey" <mbailey@beaumontproducts.com> wrote in message  
  
news:u6QHENFIGHA.2460@TK2MSFTNGP10.phx.gbl...


Search

search