• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 190
  • Last Modified:

Event ID 4624 Logged on all Domain Workstations other user account names

First, this is the same question asked here (which was not answered): windows security auditing events 4624 4625 4634 type 3 continually appear in logs for any user.

What i am seeing is that throughout the day, every single computer on the domain has these events (both 4624 and 4636) logged from random user accounts on the domain. See parsed log screenshot:
Parsed Log
I am trying to find out what would cause this, and am concerned since authentication is happening with actual AD accounts, not system accounts. See a full log entry below:

An account was successfully logged on.

	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Account Domain:		MYDOMAIN
	Logon ID:		0x1CE12BBA3
	Logon GUID:		{d3ed4135-9087-b18a-7190-5ef238e18940}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	10.X.X.X
	Source Port:		63005 (THIS CHANGES, SEEING RANGES FROM 5000-6000)

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window

1 Solution
David Johnson, CD, MVPOwnerCommented:
this is normal if you audit success.. what you need to look for is 'failure' There will be hundreds of success on every network access, first a computer$ login (which gets a ticket( which allows users/services on that machine to also get a kerberos ticket
dejesusjAuthor Commented:
I am closing the question - turned out to be LabTech on the clients broadcasting to *.*.*.255
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now