Solved

Event ID 538

Posted on 2007-12-06
7
1,233 Views
Last Modified: 2012-08-13
All users from the domain show event ID 538 logon then immediately show event  ID 538 logoff from the Event security log of the Domain controller,   even though the user never logged off the domain.  Any help with this is greatly appreaciated.
0
Comment
Question by:bksnow
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 2

Expert Comment

by:biztopia
ID: 20425218
0
 

Author Comment

by:bksnow
ID: 20425392
Sorry that talks about the token leak never getting to zero. My issues is that the event logoff is generated right at the point of logon for the domain user. So the domain thinks the user has logged on then instantly logged off.
0
 
LVL 2

Expert Comment

by:biztopia
ID: 20425409
Ah ok.  Can you post the full description contained in one of the events?

Cheers
D.
0
Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

 
LVL 38

Expert Comment

by:ChiefIT
ID: 20425818
0
 

Author Comment

by:bksnow
ID: 20426843
I understand that.  The issue is that the user never actually logs out, the DC records the log out event instantly when the user logged on.   So it looks like in the event log that all users log in then instantly log out

example
12:01:01 event Id 538 Logon    - User boots up and logons
12:01:02 event ID 538 Logout  -  even though the user is actually still connected.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 20429632
I don't know the details of logging on to  and authenitcaiting with the domain controller.. Nor, do I know of the need to be constantly connected to the domain controller.

I do know, when a client logs on, it will authenticate with the domain controller for permissions to be on the domain. That only takes a couple seconds. The client will also get a DHCP from the server if needed. That only takes a couple milliseconds. So, is the domain controller constantly needed for a client to be on the domain, or can the client authenitcate and get off the DC without causing problems?

Event ID 538 are successful logons and log offs. If you see no issues with the domain, then I am not sure I would worry about the event, rather than the filling up of the security event log. Someone may have elected to see who is logging into the domain and set events 538 to display in event viewer. Sometimes administrators do this to see who is on and at what times. By default, I would imagine these events are not displayed on a DC. It would be to filling of the event logs.

Bottom line is, Maybe logging off, right after logging on is the nature of the beast and if you don't want these events showing in your event logs, edit what you are seeing in event viewer.
0
 

Expert Comment

by:sndmnsix
ID: 37470958
I actually had the same issue in my domain where the security event log was filling up with virtually every user in the AD reporting a 538 or 540 login or logout.  I went into Group Policy on the top level of the domain and turned off a few auditing policies that weren't configured.

Computer Configuration
- Windows Settings
-Security Settings
-Local Policies
-Audit Policy

set these for 'no auditing' :
'Audit account logon events'
'Audit logon event'
'Audit object access'
'Audit directory service access'

I'm sure there's a better way of doing this since this will basically trump any drilled down level of auditing that may already be  in place elsewhere.  The trick is finding it.  Anyway,  the security log slowed way down, which is what my aim was.  


0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question