Solved

2003 Domain Controller log offs.

Posted on 2014-09-25
6
142 Views
Last Modified: 2014-09-30
In my Event Viewer for Security I have 40,000+ log offs (event ID 538) yet only 6 logons. Why the disparity?
0
Comment
Question by:xmouser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40345534
Have you enabled auditing of privilege use?  An excessive number of 538 could be an indication of the policy being turned on.

I suggest checking out the configuration of the Security Auditing policy.  Using Group Policy Manager go to:

1. Computer Configuration > Windows Settings > Security > Local > Audit
2. verify what is enabled
3. if privilege use auditing is enabled, disabled it

You can also do this locally by using  the Local Security Policy admin tool.  Go to:

1. Local Policies > Audit Policy
2. verify what is enabled
3. disable auditing objects as desired.

Dan
0
 

Author Comment

by:xmouser
ID: 40345858
Not seeing where I can specifically turn this off - not sure I should. But why so many log offs 40,000+ in comparison to 6 logons for the same week?
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40346034
There could be many reasons.  What is installed on this server?

See thread for a description of a similar situation:  http://social.technet.microsoft.com/Forums/windowsserver/en-US/5b4ce879-ed35-432f-8d60-30cfbbc6b62f/2003-sp2-dc-filling-up-with-event-id-538-540-and-576?forum=winserversecurity

Dan
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:xmouser
ID: 40346143
2003 Domain Controller.
0
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 40346166
Nothing else? No Exchange, SharePoint, etc...

If not, then you could disable the "Audit privilege use" policy on the DC.  This should reduce the 538s.

Unless you have some need to have had this option enabled, I suggest turning it off.

Reference link:  http://technet.microsoft.com/en-us/library/cc784501(v=ws.10).aspx

Dan
0
 

Author Comment

by:xmouser
ID: 40346296
I'll check.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question