Solved

Event ID 538

Posted on 2007-12-06
7
1,227 Views
Last Modified: 2012-08-13
All users from the domain show event ID 538 logon then immediately show event  ID 538 logoff from the Event security log of the Domain controller,   even though the user never logged off the domain.  Any help with this is greatly appreaciated.
0
Comment
Question by:bksnow
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 2

Expert Comment

by:biztopia
ID: 20425218
0
 

Author Comment

by:bksnow
ID: 20425392
Sorry that talks about the token leak never getting to zero. My issues is that the event logoff is generated right at the point of logon for the domain user. So the domain thinks the user has logged on then instantly logged off.
0
 
LVL 2

Expert Comment

by:biztopia
ID: 20425409
Ah ok.  Can you post the full description contained in one of the events?

Cheers
D.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 38

Expert Comment

by:ChiefIT
ID: 20425818
0
 

Author Comment

by:bksnow
ID: 20426843
I understand that.  The issue is that the user never actually logs out, the DC records the log out event instantly when the user logged on.   So it looks like in the event log that all users log in then instantly log out

example
12:01:01 event Id 538 Logon    - User boots up and logons
12:01:02 event ID 538 Logout  -  even though the user is actually still connected.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 20429632
I don't know the details of logging on to  and authenitcaiting with the domain controller.. Nor, do I know of the need to be constantly connected to the domain controller.

I do know, when a client logs on, it will authenticate with the domain controller for permissions to be on the domain. That only takes a couple seconds. The client will also get a DHCP from the server if needed. That only takes a couple milliseconds. So, is the domain controller constantly needed for a client to be on the domain, or can the client authenitcate and get off the DC without causing problems?

Event ID 538 are successful logons and log offs. If you see no issues with the domain, then I am not sure I would worry about the event, rather than the filling up of the security event log. Someone may have elected to see who is logging into the domain and set events 538 to display in event viewer. Sometimes administrators do this to see who is on and at what times. By default, I would imagine these events are not displayed on a DC. It would be to filling of the event logs.

Bottom line is, Maybe logging off, right after logging on is the nature of the beast and if you don't want these events showing in your event logs, edit what you are seeing in event viewer.
0
 

Expert Comment

by:sndmnsix
ID: 37470958
I actually had the same issue in my domain where the security event log was filling up with virtually every user in the AD reporting a 538 or 540 login or logout.  I went into Group Policy on the top level of the domain and turned off a few auditing policies that weren't configured.

Computer Configuration
- Windows Settings
-Security Settings
-Local Policies
-Audit Policy

set these for 'no auditing' :
'Audit account logon events'
'Audit logon event'
'Audit object access'
'Audit directory service access'

I'm sure there's a better way of doing this since this will basically trump any drilled down level of auditing that may already be  in place elsewhere.  The trick is finding it.  Anyway,  the security log slowed way down, which is what my aim was.  


0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question