Security Log Analysis

Posted on 2007-07-30
Last Modified: 2013-12-04
Hi Experts,

I have a domain user account that has generated 1 million logon failures, the event log is the following.

530,AUDIT FAILURE,Security,Mon Jul 30 05:59:58 2007,NT AUTHORITY\SYSTEM,Logon Failure:     Reason:  Account logon time restriction violation     User Name: sorin negrea     Domain: MACBETH     Logon Type: 3     Logon Process: NtLmSsp      Authentication Package: NTLM     Workstation Name: TD-4031-32RY  
680,AUDIT FAILURE,Security,Mon Jul 30 05:59:58 2007,NT AUTHORITY\SYSTEM,Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon account:  sorin negrea    Source Workstation: TD-4031-32RY    Error Code: 0xC000006F    

How can I further analyse this event?  Is it possible to actually point out if this is caused by a PC process ?eg. Outlook on client PC trying to maintain connectivty with exchange during restricted hours.  

Is there an application that can better manage and help correlate windows event logs.
Question by:Admin1980
    LVL 31

    Expert Comment

    by:Toni Uranjek

    One million is a huge number. But details of your event explains, you have "Account logon time restriction violation" and Logon type: 3, which is network logon. Do you actualy have time restrictions implemented, if so does the user log off? It is possible tha accessing mail server or maping (trying to access network folder) would generate these kind of events.



    Author Comment

    The user does have a tendency to only lock his PC without loggin off.   The strange thing is, why did it only start happening at 4:40am and not at 10pm the previous day since that's when the login time restriction takes effect.   I will check his PC logs.  Do you or anyone else have any other suggestions before I close this ticket?
    LVL 18

    Accepted Solution

    Because it only restricts the logon time. It does not enforce the logoff. To do that: see (the part about 'Enforce Logon Time Restrictions Using Group Policy')


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now