Solved

2003 Domain Controller log offs.

Posted on 2014-09-25
6
138 Views
Last Modified: 2014-09-30
In my Event Viewer for Security I have 40,000+ log offs (event ID 538) yet only 6 logons. Why the disparity?
0
Comment
Question by:xmouser
  • 3
  • 3
6 Comments
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40345534
Have you enabled auditing of privilege use?  An excessive number of 538 could be an indication of the policy being turned on.

I suggest checking out the configuration of the Security Auditing policy.  Using Group Policy Manager go to:

1. Computer Configuration > Windows Settings > Security > Local > Audit
2. verify what is enabled
3. if privilege use auditing is enabled, disabled it

You can also do this locally by using  the Local Security Policy admin tool.  Go to:

1. Local Policies > Audit Policy
2. verify what is enabled
3. disable auditing objects as desired.

Dan
0
 

Author Comment

by:xmouser
ID: 40345858
Not seeing where I can specifically turn this off - not sure I should. But why so many log offs 40,000+ in comparison to 6 logons for the same week?
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40346034
There could be many reasons.  What is installed on this server?

See thread for a description of a similar situation:  http://social.technet.microsoft.com/Forums/windowsserver/en-US/5b4ce879-ed35-432f-8d60-30cfbbc6b62f/2003-sp2-dc-filling-up-with-event-id-538-540-and-576?forum=winserversecurity

Dan
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:xmouser
ID: 40346143
2003 Domain Controller.
0
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 40346166
Nothing else? No Exchange, SharePoint, etc...

If not, then you could disable the "Audit privilege use" policy on the DC.  This should reduce the 538s.

Unless you have some need to have had this option enabled, I suggest turning it off.

Reference link:  http://technet.microsoft.com/en-us/library/cc784501(v=ws.10).aspx

Dan
0
 

Author Comment

by:xmouser
ID: 40346296
I'll check.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
(Open)LDAP V2.44  search proxy to AD (W2012R2) 37 140
How to filter result in PowerShell 10 58
Need help in modifying an existing script 2 19
get bulk group members list in CSV 15 25
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question