?
Solved

Event ID 538

Posted on 2007-12-06
7
Medium Priority
?
1,244 Views
Last Modified: 2012-08-13
All users from the domain show event ID 538 logon then immediately show event  ID 538 logoff from the Event security log of the Domain controller,   even though the user never logged off the domain.  Any help with this is greatly appreaciated.
0
Comment
Question by:bksnow
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 2

Expert Comment

by:biztopia
ID: 20425218
0
 

Author Comment

by:bksnow
ID: 20425392
Sorry that talks about the token leak never getting to zero. My issues is that the event logoff is generated right at the point of logon for the domain user. So the domain thinks the user has logged on then instantly logged off.
0
 
LVL 2

Expert Comment

by:biztopia
ID: 20425409
Ah ok.  Can you post the full description contained in one of the events?

Cheers
D.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 39

Expert Comment

by:ChiefIT
ID: 20425818
0
 

Author Comment

by:bksnow
ID: 20426843
I understand that.  The issue is that the user never actually logs out, the DC records the log out event instantly when the user logged on.   So it looks like in the event log that all users log in then instantly log out

example
12:01:01 event Id 538 Logon    - User boots up and logons
12:01:02 event ID 538 Logout  -  even though the user is actually still connected.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 20429632
I don't know the details of logging on to  and authenitcaiting with the domain controller.. Nor, do I know of the need to be constantly connected to the domain controller.

I do know, when a client logs on, it will authenticate with the domain controller for permissions to be on the domain. That only takes a couple seconds. The client will also get a DHCP from the server if needed. That only takes a couple milliseconds. So, is the domain controller constantly needed for a client to be on the domain, or can the client authenitcate and get off the DC without causing problems?

Event ID 538 are successful logons and log offs. If you see no issues with the domain, then I am not sure I would worry about the event, rather than the filling up of the security event log. Someone may have elected to see who is logging into the domain and set events 538 to display in event viewer. Sometimes administrators do this to see who is on and at what times. By default, I would imagine these events are not displayed on a DC. It would be to filling of the event logs.

Bottom line is, Maybe logging off, right after logging on is the nature of the beast and if you don't want these events showing in your event logs, edit what you are seeing in event viewer.
0
 

Expert Comment

by:sndmnsix
ID: 37470958
I actually had the same issue in my domain where the security event log was filling up with virtually every user in the AD reporting a 538 or 540 login or logout.  I went into Group Policy on the top level of the domain and turned off a few auditing policies that weren't configured.

Computer Configuration
- Windows Settings
-Security Settings
-Local Policies
-Audit Policy

set these for 'no auditing' :
'Audit account logon events'
'Audit logon event'
'Audit object access'
'Audit directory service access'

I'm sure there's a better way of doing this since this will basically trump any drilled down level of auditing that may already be  in place elsewhere.  The trick is finding it.  Anyway,  the security log slowed way down, which is what my aim was.  


0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question