Security Log Analysis

Hi Experts,

I have a domain user account that has generated 1 million logon failures, the event log is the following.

530,AUDIT FAILURE,Security,Mon Jul 30 05:59:58 2007,NT AUTHORITY\SYSTEM,Logon Failure:     Reason:  Account logon time restriction violation     User Name: sorin negrea     Domain: MACBETH     Logon Type: 3     Logon Process: NtLmSsp      Authentication Package: NTLM     Workstation Name: TD-4031-32RY  
680,AUDIT FAILURE,Security,Mon Jul 30 05:59:58 2007,NT AUTHORITY\SYSTEM,Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon account:  sorin negrea    Source Workstation: TD-4031-32RY    Error Code: 0xC000006F    

How can I further analyse this event?  Is it possible to actually point out if this is caused by a PC process ?eg. Outlook on client PC trying to maintain connectivty with exchange during restricted hours.  

Is there an application that can better manage and help correlate windows event logs.
Admin1980Asked:
Who is Participating?
 
PowerITCommented:
Because it only restricts the logon time. It does not enforce the logoff. To do that: see http://support.microsoft.com/default.aspx/kb/816666 (the part about 'Enforce Logon Time Restrictions Using Group Policy')

J.
0
 
Toni UranjekConsultant/TrainerCommented:
Hi!

One million is a huge number. But details of your event explains, you have "Account logon time restriction violation" and Logon type: 3, which is network logon. Do you actualy have time restrictions implemented, if so does the user log off? It is possible tha accessing mail server or maping (trying to access network folder) would generate these kind of events.

HTH

Toni
0
 
Admin1980Author Commented:
The user does have a tendency to only lock his PC without loggin off.   The strange thing is, why did it only start happening at 4:40am and not at 10pm the previous day since that's when the login time restriction takes effect.   I will check his PC logs.  Do you or anyone else have any other suggestions before I close this ticket?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.