Solved

Event ID 4624 Logged on all Domain Workstations other user account names

Posted on 2016-08-22
5
48 Views
Last Modified: 2016-09-22
First, this is the same question asked here (which was not answered): windows security auditing events 4624 4625 4634 type 3 continually appear in logs for any user.

What i am seeing is that throughout the day, every single computer on the domain has these events (both 4624 and 4636) logged from random user accounts on the domain. See parsed log screenshot:
Parsed Log
I am trying to find out what would cause this, and am concerned since authentication is happening with actual AD accounts, not system accounts. See a full log entry below:

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		SID PURPOSELY REMOVED
	Account Name:		USERNAME PURPOSELY REMOVED
	Account Domain:		MYDOMAIN
	Logon ID:		0x1CE12BBA3
	Logon GUID:		{d3ed4135-9087-b18a-7190-5ef238e18940}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	10.X.X.X
	Source Port:		63005 (THIS CHANGES, SEEING RANGES FROM 5000-6000)

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window

0
Comment
Question by:dejesusj
5 Comments
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 41766500
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 41766551
this is normal if you audit success.. what you need to look for is 'failure' There will be hundreds of success on every network access, first a computer$ login (which gets a ticket( which allows users/services on that machine to also get a kerberos ticket
0
 
LVL 1

Accepted Solution

by:
dejesusj earned 0 total points
ID: 41772148
I am closing the question - turned out to be LabTech on the clients broadcasting to *.*.*.255
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 41810352
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question