Solved

2003 Domain Controller log offs.

Posted on 2014-09-25
6
140 Views
Last Modified: 2014-09-30
In my Event Viewer for Security I have 40,000+ log offs (event ID 538) yet only 6 logons. Why the disparity?
0
Comment
Question by:xmouser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40345534
Have you enabled auditing of privilege use?  An excessive number of 538 could be an indication of the policy being turned on.

I suggest checking out the configuration of the Security Auditing policy.  Using Group Policy Manager go to:

1. Computer Configuration > Windows Settings > Security > Local > Audit
2. verify what is enabled
3. if privilege use auditing is enabled, disabled it

You can also do this locally by using  the Local Security Policy admin tool.  Go to:

1. Local Policies > Audit Policy
2. verify what is enabled
3. disable auditing objects as desired.

Dan
0
 

Author Comment

by:xmouser
ID: 40345858
Not seeing where I can specifically turn this off - not sure I should. But why so many log offs 40,000+ in comparison to 6 logons for the same week?
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40346034
There could be many reasons.  What is installed on this server?

See thread for a description of a similar situation:  http://social.technet.microsoft.com/Forums/windowsserver/en-US/5b4ce879-ed35-432f-8d60-30cfbbc6b62f/2003-sp2-dc-filling-up-with-event-id-538-540-and-576?forum=winserversecurity

Dan
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:xmouser
ID: 40346143
2003 Domain Controller.
0
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 40346166
Nothing else? No Exchange, SharePoint, etc...

If not, then you could disable the "Audit privilege use" policy on the DC.  This should reduce the 538s.

Unless you have some need to have had this option enabled, I suggest turning it off.

Reference link:  http://technet.microsoft.com/en-us/library/cc784501(v=ws.10).aspx

Dan
0
 

Author Comment

by:xmouser
ID: 40346296
I'll check.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question