Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

2003 Domain Controller log offs.

Posted on 2014-09-25
6
Medium Priority
?
143 Views
Last Modified: 2014-09-30
In my Event Viewer for Security I have 40,000+ log offs (event ID 538) yet only 6 logons. Why the disparity?
0
Comment
Question by:xmouser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40345534
Have you enabled auditing of privilege use?  An excessive number of 538 could be an indication of the policy being turned on.

I suggest checking out the configuration of the Security Auditing policy.  Using Group Policy Manager go to:

1. Computer Configuration > Windows Settings > Security > Local > Audit
2. verify what is enabled
3. if privilege use auditing is enabled, disabled it

You can also do this locally by using  the Local Security Policy admin tool.  Go to:

1. Local Policies > Audit Policy
2. verify what is enabled
3. disable auditing objects as desired.

Dan
0
 

Author Comment

by:xmouser
ID: 40345858
Not seeing where I can specifically turn this off - not sure I should. But why so many log offs 40,000+ in comparison to 6 logons for the same week?
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40346034
There could be many reasons.  What is installed on this server?

See thread for a description of a similar situation:  http://social.technet.microsoft.com/Forums/windowsserver/en-US/5b4ce879-ed35-432f-8d60-30cfbbc6b62f/2003-sp2-dc-filling-up-with-event-id-538-540-and-576?forum=winserversecurity

Dan
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:xmouser
ID: 40346143
2003 Domain Controller.
0
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 2000 total points
ID: 40346166
Nothing else? No Exchange, SharePoint, etc...

If not, then you could disable the "Audit privilege use" policy on the DC.  This should reduce the 538s.

Unless you have some need to have had this option enabled, I suggest turning it off.

Reference link:  http://technet.microsoft.com/en-us/library/cc784501(v=ws.10).aspx

Dan
0
 

Author Comment

by:xmouser
ID: 40346296
I'll check.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question