Link to home
Start Free TrialLog in
Avatar of admn4tndc
admn4tndc

asked on

UserID creates redundant frequent 538 & 540 events

I am trying to document to times of a users logon and logoff events in a domain env. EventVwr from a domain controller shows "chattering" of events 540 and 538.  Separated by trivially small times.  This chattering authentication, if real, must mean something evil.  It's messing up my ability as "computer cop" to track this user's behavior.

I seem to remember about 2 years ago I struggled with something similar: chattering authentication issues.  Of all the things I've lost, however, I miss my mind the most.  Maybe you folks can remind me. Thanks.

Attached is 1 page Word doc with bitmap pasted in showing eventvwr screen capture.
EventVwr-BIGBOAT-Security-user0.doc
ASKER CERTIFIED SOLUTION
Avatar of martin_babarik
martin_babarik
Flag of Czechia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of admn4tndc
admn4tndc

ASKER

Martin,

OK, so it's not an evil thing happening or broken with this workstation - domain relationship. That's good to know.

Having settled that, back to what I was trying to do in the first place (but didn't explain well in my original writing). I want to know when this person shows up for work and leaves. It's an HR issue of tardiness and work hours. There must be some other event to look for related more directly to the person's activity on his workstation.
I just thought maybe the forum-meister wants me to close this issue and open a new one with the HR aspect of the problem more explicitly stated.