We help IT Professionals succeed at work.

Event ID 5723 Source: NETLOGON

wcgplc
wcgplc asked
on
Evening experts,

We have a number of instances of Event ID 5723 Source: NETLOGON on one of our DC's with Win Svr 2008 installed (see below). Although the pc in the event does not belong to our network and never did. I work for a financial organisation and security is as tight as it can be regarding physical access to our main office so I'm assuming this access attempt was made remotely. Please, can you help me out here on how this could have happened? We don't have wifi on our network so I'm a little baffled here. Please advise.  

event id
Comment
Watch Question

Scott SilvaNetwork Administrator

Commented:
Whatever it is, it got far enough into your network to try to login to the domain... You might need to do a system wide network audit to make sure someone didn't plug something into an open port OR has a virtual machine going...
Turning netlogin debugging on should capture IP addresses and maybe help you track down what is happening...

https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service