It is possible that Scheduled Tasks or applications are causing these events
doing things such as backups or running scripts. There may also be events from
"anonymous" logons/null sessions that also are normal in a network as the browse
list maintenance will generate such. Assuming your firewall is properly
configured, then these events should be generated from only known machines in
the domain as described in the event description. Computer also logon to the
domain and renew their kerberos tickets periodically. Be on the lookout for
events that do not have a plausible explanation. The link below is worth a
read.--- Steve
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx
I started managing a window 2000 domain controller with sp4 for company. When
I check the security log in the morning there are events 538 and 540 (logon and
logoff events) entered in all night when I know users aren't there. Does anyone
know if this is signficant? or what it signifies. The totally firewalled from
traffic intiated from the internet.
