K
Ken Reed
Does anyone have an explanation for this sequence of three Events on a W2K
workstation that's in a domain? The workstation name is WK3577. The user in
this case (AM\User1) is a valid domin user but there is no logical connection
between them and this workstation. There are multiple user accounts
generating these Events.
Sequence is usually Event 576, 540, 538 all within a few seconds
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/11/2009
Time: 11:47:09 PM
User: AM\User1
Computer: WK3577
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x564620)
Assigned: SeChangeNotifyPrivilege
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/11/2009
Time: 11:47:09 PM
User: AM\User1
Computer: WK3577
Description:
Successful Network Logon:
User Name: User1
Domain: AM
Logon ID: (0x0,0x564620)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/11/2009
Time: 11:47:21 PM
User: AM\User1
Computer: WK3577
Description:
User Logoff:
User Name: User1
Domain: AM
Logon ID: (0x0,0x564620)
Logon Type: 3
workstation that's in a domain? The workstation name is WK3577. The user in
this case (AM\User1) is a valid domin user but there is no logical connection
between them and this workstation. There are multiple user accounts
generating these Events.
Sequence is usually Event 576, 540, 538 all within a few seconds
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/11/2009
Time: 11:47:09 PM
User: AM\User1
Computer: WK3577
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x564620)
Assigned: SeChangeNotifyPrivilege
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/11/2009
Time: 11:47:09 PM
User: AM\User1
Computer: WK3577
Description:
Successful Network Logon:
User Name: User1
Domain: AM
Logon ID: (0x0,0x564620)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/11/2009
Time: 11:47:21 PM
User: AM\User1
Computer: WK3577
Description:
User Logoff:
User Name: User1
Domain: AM
Logon ID: (0x0,0x564620)
Logon Type: 3