Solved

Unexplained Event Logs on Member Servers

Posted on 2011-09-07
11
454 Views
Last Modified: 2012-05-12
Hi,

We are using Windows server 2003 domain controllers. We are having member servers which are running on Windows Server 2003.We are observed some events logged in our member servers with event id 540.

The users don't have any permission to login to the server but still some events are logging with those user id in event viewer.

Source: Security
Categeory: Logon/Logoff
EventID: 540
Type: Success A

Can any one suggest me why such types of events are logged in the event viewer. We need resolution for this.

Thanks in Advance.
0
Comment
Question by:gaddam01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 20

Expert Comment

by:Lazarus
ID: 36497613
Event 540 gets logged when a user elsewhere on the network connects to a resource (e.g. shared folder) provided by the Server service on this computer. The Logon Type will always be 3 or 8, both of which indicate a network logon.
0
 

Author Comment

by:gaddam01
ID: 36497666
Hello,

Thanks for the response. You mean to say that the user is having some permissions any any shared folder on the server?

What is the meaning of Network Logon?

If the user don't have any logon rights on the server then in the event viewer why it is showing as Logon/Logoff?
0
 
LVL 20

Expert Comment

by:Lazarus
ID: 36497746
Yes, if a member of the Active Directory is accessing resources on the server from there client computer it will log that on teh server, since they have accessed the server through the network.

Do you have Shared Folders on this server? A DFS folder etc...?
0
Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

 

Author Comment

by:gaddam01
ID: 36497865
We don't have any shared folders and DFS folders also.
0
 
LVL 20

Expert Comment

by:Lazarus
ID: 36497944
Do you have any server resources availble to the network? is it an Active Directory Server? If so thats all it reall takes, if it is getting information from the server. It is not a real issue, but it should also be telling you who is accessing it. look at the details:

•User Name: %1
•Domain: %2
•Logon ID: %3
•Logon Type: %4
•Logon Process: %5
•Authentication Package: %6
•Workstation Name: %7

You can see from there what WKS is accessing the server and such.
0
 

Author Comment

by:gaddam01
ID: 36574741
I have attached the Event Viewer details for the issue. I need to stop these events from happening on the servers.

Even though the users don't have any access or permissions on the servers still it is happening. We don't have any shared or DFS folders on the servers.

This is very urgent, Please help me out on this. Event-viewr-details.doc
0
 
LVL 20

Expert Comment

by:Lazarus
ID: 36575437
This is not a bad thing. It's normal:

For network connections (such as to a file server), it will appear that users log on and off many times a day. This phenomenon is caused by the way the Server service terminates idle connections.

If a user turns off his/her computer, Windows does not have an opportunity to log the logoff event until the system restarts. Therefore, some logoff events are logged much later than the time at which they actually occur.

ANONYMOUS LOGONs are routine events on Windows networks.
 
Microsoft's comments:
This event does not necessarily indicate the time that a user has stopped using a system. For example, if the computer is shut down or loses network connectivity it may not record a logoff event at all.
0
 

Author Comment

by:gaddam01
ID: 36579813
Hello,

Thanks for the reply. In the reply you had mentioned Microsoft comments can you please send me any Microsoft KB Article which is supporting your comments.
0
 
LVL 20

Accepted Solution

by:
Lazarus earned 500 total points
ID: 36581530
My apologise, but the Comments section was for Event 4638 which is closely related to what you are seeing, but not the same.

You can also use a GPO to diable anonymous login, but you may disable more than you are looking to if these are legitimate logons.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/6d95e56a-dd0e-406e-b492-faa6e37fabee/

Look here for details on event 540: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033

then look here for a better understanding of it:http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=540

You can look here as well for some advice in Experts exchange on this: http://www.experts-exchange.com/Networking/Network_Management/Auditing_Software/Q_22413459.html
0
 

Author Comment

by:gaddam01
ID: 36583116
3      Network      A user or computer logged on to this computer from the network.

From Microsoft KB Article it was written like the above one. What is the meaning of it?

User don't have any rights on the Member server then How can login to Member server from Network?
This is not clear to me.

Please send me your comments on this. Because we don't have shared any thing on this server.
0
 
LVL 20

Expert Comment

by:Lazarus
ID: 36584135
He does not have to have login rights to it. His computer could be contacting it for many different reasons.
Perhaps it would help if you told me what the Server is, in conjunction to the network. Is it a DC? A file server SQL server etc. What is it's function?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question