bksnow
asked on
Event ID 538
All users from the domain show event ID 538 logon then immediately show event ID 538 logoff from the Event security log of the Domain controller, even though the user never logged off the domain. Any help with this is greatly appreaciated.
ASKER
Sorry that talks about the token leak never getting to zero. My issues is that the event logoff is generated right at the point of logon for the domain user. So the domain thinks the user has logged on then instantly logged off.
Ah ok. Can you post the full description contained in one of the events?
Cheers
D.
Cheers
D.
Event ID 538 is a successful logon and logoff.
http://www.eventid.net/display.asp?eventid=538&eventno=7&source=Security&phase=1
http://www.eventid.net/display.asp?eventid=538&eventno=7&source=Security&phase=1
ASKER
I understand that. The issue is that the user never actually logs out, the DC records the log out event instantly when the user logged on. So it looks like in the event log that all users log in then instantly log out
example
12:01:01 event Id 538 Logon - User boots up and logons
12:01:02 event ID 538 Logout - even though the user is actually still connected.
example
12:01:01 event Id 538 Logon - User boots up and logons
12:01:02 event ID 538 Logout - even though the user is actually still connected.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I actually had the same issue in my domain where the security event log was filling up with virtually every user in the AD reporting a 538 or 540 login or logout. I went into Group Policy on the top level of the domain and turned off a few auditing policies that weren't configured.
Computer Configuration
- Windows Settings
-Security Settings
-Local Policies
-Audit Policy
set these for 'no auditing' :
'Audit account logon events'
'Audit logon event'
'Audit object access'
'Audit directory service access'
I'm sure there's a better way of doing this since this will basically trump any drilled down level of auditing that may already be in place elsewhere. The trick is finding it. Anyway, the security log slowed way down, which is what my aim was.
Computer Configuration
- Windows Settings
-Security Settings
-Local Policies
-Audit Policy
set these for 'no auditing' :
'Audit account logon events'
'Audit logon event'
'Audit object access'
'Audit directory service access'
I'm sure there's a better way of doing this since this will basically trump any drilled down level of auditing that may already be in place elsewhere. The trick is finding it. Anyway, the security log slowed way down, which is what my aim was.
http://www.monitorware.com/Common/en/SecurityReference/Event-ID-538-Explained.php
Cheers
D.