Solved

Event ID 538

Posted on 2007-12-06
7
1,232 Views
Last Modified: 2012-08-13
All users from the domain show event ID 538 logon then immediately show event  ID 538 logoff from the Event security log of the Domain controller,   even though the user never logged off the domain.  Any help with this is greatly appreaciated.
0
Comment
Question by:bksnow
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 2

Expert Comment

by:biztopia
ID: 20425218
0
 

Author Comment

by:bksnow
ID: 20425392
Sorry that talks about the token leak never getting to zero. My issues is that the event logoff is generated right at the point of logon for the domain user. So the domain thinks the user has logged on then instantly logged off.
0
 
LVL 2

Expert Comment

by:biztopia
ID: 20425409
Ah ok.  Can you post the full description contained in one of the events?

Cheers
D.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 38

Expert Comment

by:ChiefIT
ID: 20425818
0
 

Author Comment

by:bksnow
ID: 20426843
I understand that.  The issue is that the user never actually logs out, the DC records the log out event instantly when the user logged on.   So it looks like in the event log that all users log in then instantly log out

example
12:01:01 event Id 538 Logon    - User boots up and logons
12:01:02 event ID 538 Logout  -  even though the user is actually still connected.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 20429632
I don't know the details of logging on to  and authenitcaiting with the domain controller.. Nor, do I know of the need to be constantly connected to the domain controller.

I do know, when a client logs on, it will authenticate with the domain controller for permissions to be on the domain. That only takes a couple seconds. The client will also get a DHCP from the server if needed. That only takes a couple milliseconds. So, is the domain controller constantly needed for a client to be on the domain, or can the client authenitcate and get off the DC without causing problems?

Event ID 538 are successful logons and log offs. If you see no issues with the domain, then I am not sure I would worry about the event, rather than the filling up of the security event log. Someone may have elected to see who is logging into the domain and set events 538 to display in event viewer. Sometimes administrators do this to see who is on and at what times. By default, I would imagine these events are not displayed on a DC. It would be to filling of the event logs.

Bottom line is, Maybe logging off, right after logging on is the nature of the beast and if you don't want these events showing in your event logs, edit what you are seeing in event viewer.
0
 

Expert Comment

by:sndmnsix
ID: 37470958
I actually had the same issue in my domain where the security event log was filling up with virtually every user in the AD reporting a 538 or 540 login or logout.  I went into Group Policy on the top level of the domain and turned off a few auditing policies that weren't configured.

Computer Configuration
- Windows Settings
-Security Settings
-Local Policies
-Audit Policy

set these for 'no auditing' :
'Audit account logon events'
'Audit logon event'
'Audit object access'
'Audit directory service access'

I'm sure there's a better way of doing this since this will basically trump any drilled down level of auditing that may already be  in place elsewhere.  The trick is finding it.  Anyway,  the security log slowed way down, which is what my aim was.  


0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Learn about cloud computing and its benefits for small business owners.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question