Solved

SO MANY success audit entries in the Event Viewer Security Log

Posted on 2004-08-11
3
1,401 Views
Last Modified: 2013-12-04
Hi.

WHile trying to see why/when a users sign on got locked out, i was looking thru the Event Viewer / Security log.

Seems there were a ton, I mean A TON of Success Audit from very late night from a multitude of pc's that i know users are not signing onto.  
 
Most entries are :
ID 540 - Successful Network Logon
ID 538 - User Logoff
ID 680 - Account used for logon by

Does anyone know why so many entries that shouldnt be?

thanks.

ST
0
Comment
Question by:ststst
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 2

Expert Comment

by:chuckatwork
ID: 11779683
Maybe try logon hour restrictions for the account in AD to troubleshoot. Just find the user in AD and there is an hour logon restriction tab. Could they be running scripts? Can you turn off a user's computer to see if it appears that night?
0
 
LVL 12

Accepted Solution

by:
alandc earned 100 total points
ID: 12227457
I would suggest that the computer is infected with some trojan, spyware, or virus that is attempting to replicate across the network. Does the user log off their comptuer in the evening when they leave? If the activity is legitimate it might be their desktop antivirus scanning network drives or some other such searching or indexing function. We always have users reboot or logoff their computer but not shut them down so we can administer updates during the late/early hours.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Updating clients Trend Micro (OfficeScan) Console 5 125
Low-cost /freeware IOC tools 4 81
Botnet detection help me please 21 161
FTP server windows 2008 5 69
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question