Solved

Event Viewer showing multiple logon/logoff events

Posted on 2004-10-25
1,874 Views
Last Modified: 2007-12-19
The Event Viewer is showing from 5-11 events per user logon/logoff. Filters did not work to satisfaction. An example is here:
 Type      Date      Time      Source      Category      Event      User      Computer
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       538      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       538      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       538      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       540      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Privilege Use       576      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       540      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Privilege Use       576      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       540      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Privilege Use       576      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       540      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Privilege Use       576      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:43 PM      Security      System Event       517      SYSTEM      528-WINSERVER2


---This was one person logging into their system - Any ideas or known fixes?
0
Question by:tcpfargo
    5 Comments
     
    LVL 18

    Expert Comment

    by:crissand
    Yes, you can change the security audit to only the events that you want. The filters from event viewer are only for viewing events, not for registering in audit log.
    0
     
    LVL 3

    Accepted Solution

    by:
    You can change the logging filter in the defult domain policy.

    To reach the Default Domain Policy GPO, open the Microsoft Management Console—MMC—Active Directory Users and Computers snap-in, select your domain's root, right-click, select Properties, then click the Group Policy tab.

    You can also download the GPMC at this link and make your changes with it.
    http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

    kelo501
    0
     

    Author Comment

    by:tcpfargo
    Thanks guys. The 2nd reponse I think is in the right direction. But what is done in the group policy tab once we are there. Will the GPMC filter these out? Also the User id says "system" not the user name. I will be adding more points to this once we can get a little closer to the solution.
    0
     
    LVL 3

    Expert Comment

    by:kelo501
    once you are there click:
    Security Settings > LocalPolicy > Audit Policy

    in the right pane will be the objects you can configure.  Select one and right click properties to configure.

    If you use the Group Policy Managment Console there is alot more information provide for each setting when you highlight it.

    If you need anything let me know.

    kelo
    0
     
    LVL 18

    Expert Comment

    by:crissand
    No objections.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
    Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
    This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    846 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    6 Experts available now in Live!

    Get 1:1 Help Now