Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Event ID 4624 Logged on all Domain Workstations other user account names

Posted on 2016-08-22
5
Medium Priority
?
164 Views
Last Modified: 2016-09-22
First, this is the same question asked here (which was not answered): windows security auditing events 4624 4625 4634 type 3 continually appear in logs for any user.

What i am seeing is that throughout the day, every single computer on the domain has these events (both 4624 and 4636) logged from random user accounts on the domain. See parsed log screenshot:
Parsed Log
I am trying to find out what would cause this, and am concerned since authentication is happening with actual AD accounts, not system accounts. See a full log entry below:

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		SID PURPOSELY REMOVED
	Account Name:		USERNAME PURPOSELY REMOVED
	Account Domain:		MYDOMAIN
	Logon ID:		0x1CE12BBA3
	Logon GUID:		{d3ed4135-9087-b18a-7190-5ef238e18940}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	10.X.X.X
	Source Port:		63005 (THIS CHANGES, SEEING RANGES FROM 5000-6000)

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window

0
Comment
Question by:dejesusj
4 Comments
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 41766500
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 41766551
this is normal if you audit success.. what you need to look for is 'failure' There will be hundreds of success on every network access, first a computer$ login (which gets a ticket( which allows users/services on that machine to also get a kerberos ticket
0
 
LVL 1

Accepted Solution

by:
dejesusj earned 0 total points
ID: 41772148
I am closing the question - turned out to be LabTech on the clients broadcasting to *.*.*.255
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 41810352
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question