Solved

Event ID 4624 Logged on all Domain Workstations other user account names

Posted on 2016-08-22
5
16 Views
Last Modified: 2016-09-22
First, this is the same question asked here (which was not answered): windows security auditing events 4624 4625 4634 type 3 continually appear in logs for any user.

What i am seeing is that throughout the day, every single computer on the domain has these events (both 4624 and 4636) logged from random user accounts on the domain. See parsed log screenshot:
Parsed Log
I am trying to find out what would cause this, and am concerned since authentication is happening with actual AD accounts, not system accounts. See a full log entry below:

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		SID PURPOSELY REMOVED
	Account Name:		USERNAME PURPOSELY REMOVED
	Account Domain:		MYDOMAIN
	Logon ID:		0x1CE12BBA3
	Logon GUID:		{d3ed4135-9087-b18a-7190-5ef238e18940}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	10.X.X.X
	Source Port:		63005 (THIS CHANGES, SEEING RANGES FROM 5000-6000)

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window

0
Comment
Question by:dejesusj
5 Comments
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 41766500
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41766551
this is normal if you audit success.. what you need to look for is 'failure' There will be hundreds of success on every network access, first a computer$ login (which gets a ticket( which allows users/services on that machine to also get a kerberos ticket
0
 
LVL 1

Accepted Solution

by:
dejesusj earned 0 total points
ID: 41772148
I am closing the question - turned out to be LabTech on the clients broadcasting to *.*.*.255
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 41810352
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

A procedure for exporting installed hotfix details of remote computers using powershell
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. Theā€¦
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now