?
Solved

Event ID 538

Posted on 2007-12-06
7
Medium Priority
?
1,253 Views
Last Modified: 2012-08-13
All users from the domain show event ID 538 logon then immediately show event  ID 538 logoff from the Event security log of the Domain controller,   even though the user never logged off the domain.  Any help with this is greatly appreaciated.
0
Comment
Question by:bksnow
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 2

Expert Comment

by:biztopia
ID: 20425218
0
 

Author Comment

by:bksnow
ID: 20425392
Sorry that talks about the token leak never getting to zero. My issues is that the event logoff is generated right at the point of logon for the domain user. So the domain thinks the user has logged on then instantly logged off.
0
 
LVL 2

Expert Comment

by:biztopia
ID: 20425409
Ah ok.  Can you post the full description contained in one of the events?

Cheers
D.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 39

Expert Comment

by:ChiefIT
ID: 20425818
0
 

Author Comment

by:bksnow
ID: 20426843
I understand that.  The issue is that the user never actually logs out, the DC records the log out event instantly when the user logged on.   So it looks like in the event log that all users log in then instantly log out

example
12:01:01 event Id 538 Logon    - User boots up and logons
12:01:02 event ID 538 Logout  -  even though the user is actually still connected.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 20429632
I don't know the details of logging on to  and authenitcaiting with the domain controller.. Nor, do I know of the need to be constantly connected to the domain controller.

I do know, when a client logs on, it will authenticate with the domain controller for permissions to be on the domain. That only takes a couple seconds. The client will also get a DHCP from the server if needed. That only takes a couple milliseconds. So, is the domain controller constantly needed for a client to be on the domain, or can the client authenitcate and get off the DC without causing problems?

Event ID 538 are successful logons and log offs. If you see no issues with the domain, then I am not sure I would worry about the event, rather than the filling up of the security event log. Someone may have elected to see who is logging into the domain and set events 538 to display in event viewer. Sometimes administrators do this to see who is on and at what times. By default, I would imagine these events are not displayed on a DC. It would be to filling of the event logs.

Bottom line is, Maybe logging off, right after logging on is the nature of the beast and if you don't want these events showing in your event logs, edit what you are seeing in event viewer.
0
 

Expert Comment

by:sndmnsix
ID: 37470958
I actually had the same issue in my domain where the security event log was filling up with virtually every user in the AD reporting a 538 or 540 login or logout.  I went into Group Policy on the top level of the domain and turned off a few auditing policies that weren't configured.

Computer Configuration
- Windows Settings
-Security Settings
-Local Policies
-Audit Policy

set these for 'no auditing' :
'Audit account logon events'
'Audit logon event'
'Audit object access'
'Audit directory service access'

I'm sure there's a better way of doing this since this will basically trump any drilled down level of auditing that may already be  in place elsewhere.  The trick is finding it.  Anyway,  the security log slowed way down, which is what my aim was.  


0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Integration Management Part 2
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question