?
Solved

Event ID 4624 Logged on all Domain Workstations other user account names

Posted on 2016-08-22
5
Medium Priority
?
102 Views
Last Modified: 2016-09-22
First, this is the same question asked here (which was not answered): windows security auditing events 4624 4625 4634 type 3 continually appear in logs for any user.

What i am seeing is that throughout the day, every single computer on the domain has these events (both 4624 and 4636) logged from random user accounts on the domain. See parsed log screenshot:
Parsed Log
I am trying to find out what would cause this, and am concerned since authentication is happening with actual AD accounts, not system accounts. See a full log entry below:

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		SID PURPOSELY REMOVED
	Account Name:		USERNAME PURPOSELY REMOVED
	Account Domain:		MYDOMAIN
	Logon ID:		0x1CE12BBA3
	Logon GUID:		{d3ed4135-9087-b18a-7190-5ef238e18940}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	10.X.X.X
	Source Port:		63005 (THIS CHANGES, SEEING RANGES FROM 5000-6000)

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window

0
Comment
Question by:dejesusj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 41766500
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 41766551
this is normal if you audit success.. what you need to look for is 'failure' There will be hundreds of success on every network access, first a computer$ login (which gets a ticket( which allows users/services on that machine to also get a kerberos ticket
0
 
LVL 1

Accepted Solution

by:
dejesusj earned 0 total points
ID: 41772148
I am closing the question - turned out to be LabTech on the clients broadcasting to *.*.*.255
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 41810352
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question