We help IT Professionals succeed at work.


I am noticing more and more Event ID's 538 and 540 in Event Viewer with Success Audits coming from several different IP address's/computer names that I do not recognize.  Do this mean that someone is successfully accessing this machine?

Successful Network Logon:
       User Name:      
       Logon ID:            (0x0,0x5E99B01)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SVCTAG-9F14HBX
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:
       Source Port:      0

Thanks in advance.
Watch Question


Ok.  My concern is that if this is a MS Bug how is it getting a specific source IP and computer name that isn't on our network.  That's really what is concerning me.
check the cause and solution here:


this may help you get rid of the event ids 538 and 540


Ok I've read this and I realize that this is an authorization check based on AD security groups, but my concern is why am I seeing specific computer names and IP address that look extremely strange??  I've done IP lookups on a few of these IP's and they originate from France to China........which tells me that this "bug" may be something more since it's getting these IP's and computer names from somewhere....
The IPs you mention are indeed the source IPs of machines touching your server.  All protocols aside, it might be worth looking into how is even allowed to get to your server.  Does your organization have people who travel and VPN-into your network?  Is your server plugged directly into the internet?  If not, a firewall or router has to be letting it through.