Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is wrong?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Edgar E. Cayce (myfullnamenopunctuation_at_yahoo.com)
Date: 07/26/04

Next message: Bob H.: "Slow Backup"
Previous message: Tim Wentworth: "Re: Another installation is in progress..."
Messages sorted by: [ date ] [ thread ]

Date: Mon, 26 Jul 2004 15:29:15 -0700

I have a Windows 2003 server acting as domain controller on a small (7
PC) office network.

Things seem to be working OK, but in my Event Viewer Security log, I
find constant Success Audits where the machines in my network are
doing Logon/Logoff and Privilege Use. These are happening many times
per minute and I am concerned that something may be amiss.

It usually seems to be Logon/Logoff EventID 540, the Privilege use
#576, then Logon/Logoff #538, like so:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
Successful Network Logon:
         User Name: MEDTEKSERVER$
         Domain: MEDTEK
         Logon ID: (0x0,0x19D51B45)
         Logon Type: 3
         Logon Process: Kerberos
         Authentication Package: Kerberos
         Workstation Name:
         Logon GUID: {09dc05ac-b256-11bc-da59-4245b06f1711}
         Caller User Name: -
         Caller Domain: -
         Caller Logon ID: -
         Caller Process ID: -
         Transited Services: -
         Source Network Address: 192.168.1.200
         Source Port: 3957

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
Special privileges assigned to new logon:
         User Name: MEDTEKSERVER$
         Domain: MEDTEK
         Logon ID: (0x0,0x19D51B45)
         Privileges: SeBackupPrivilege
                        SeRestorePrivilege
                        SeDebugPrivilege
                        SeChangeNotifyPrivilege

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
User Logoff:
         User Name: MEDTEKSERVER$
         Domain: MEDTEK
         Logon ID: (0x0,0x19D51AF8)
         Logon Type: 3

Is this stuff normal? Is my auditing set too high? Any help would be
muchly appreciated.

Next message: Bob H.: "Slow Backup"
Previous message: Tim Wentworth: "Re: Another installation is in progress..."
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng?
... PC) office network. ... It usually seems to be Logon/Logoff EventID 540, the Privilege use ... Successful Network Logon: ...
(microsoft.public.windows.server.general)
Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng?
... PC) office network. ... It usually seems to be Logon/Logoff EventID 540, the Privilege use ... Successful Network Logon: ...
(microsoft.public.windows.server.networking)
Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng?
... PC) office network. ... It usually seems to be Logon/Logoff EventID 540, the Privilege use ... Successful Network Logon: ...
(microsoft.public.windows.server.security)
Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng?
... PC) office network. ... It usually seems to be Logon/Logoff EventID 540, the Privilege use ... Successful Network Logon: ...
(microsoft.public.win2000.security)
RE: Desktop Support Access
... Level 1 is the default user EXEC privilege, ... Subject: Desktop Support Access ... Better Management for Network Security ...
(Security-Basics)