Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 315
  • Last Modified:

Security Log Analysis

Hi Experts,

I have a domain user account that has generated 1 million logon failures, the event log is the following.

530,AUDIT FAILURE,Security,Mon Jul 30 05:59:58 2007,NT AUTHORITY\SYSTEM,Logon Failure:     Reason:  Account logon time restriction violation     User Name: sorin negrea     Domain: MACBETH     Logon Type: 3     Logon Process: NtLmSsp      Authentication Package: NTLM     Workstation Name: TD-4031-32RY  
680,AUDIT FAILURE,Security,Mon Jul 30 05:59:58 2007,NT AUTHORITY\SYSTEM,Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon account:  sorin negrea    Source Workstation: TD-4031-32RY    Error Code: 0xC000006F    

How can I further analyse this event?  Is it possible to actually point out if this is caused by a PC process ?eg. Outlook on client PC trying to maintain connectivty with exchange during restricted hours.  

Is there an application that can better manage and help correlate windows event logs.
1 Solution
Toni UranjekConsultant/TrainerCommented:

One million is a huge number. But details of your event explains, you have "Account logon time restriction violation" and Logon type: 3, which is network logon. Do you actualy have time restrictions implemented, if so does the user log off? It is possible tha accessing mail server or maping (trying to access network folder) would generate these kind of events.


Admin1980Author Commented:
The user does have a tendency to only lock his PC without loggin off.   The strange thing is, why did it only start happening at 4:40am and not at 10pm the previous day since that's when the login time restriction takes effect.   I will check his PC logs.  Do you or anyone else have any other suggestions before I close this ticket?
Because it only restricts the logon time. It does not enforce the logoff. To do that: see http://support.microsoft.com/default.aspx/kb/816666 (the part about 'Enforce Logon Time Restrictions Using Group Policy')


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now